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Abstract 

In the Declarative Networking paradigm, Datalog-like langnages are used to express dis¬ 
tributed computations. Whereas recently formal operational semantics for these languages 
have been developed, a corresponding declarative semantics has been lacking so far. The 
challenge is to captnre precisely the amount of nondeterminism that is inherent to dis¬ 
tributed computations due to concurrency, networking delays, and asynchronous commu¬ 
nication. This paper shows how a declarative, model-based semantics can be obtained by 
simply using the well-known stable model semantics for Datalog with negation. We show 
that the model-based semantics matches previously proposed formal operational seman¬ 
tics. 

To appear in Theory and Practice of Logic Programming (TPLP). 

KEYWORDS: Dedalus, Datalog, stable model semantics, distributed system, asynchronous 
communication 


1 Introduction 

Cloud environments have emerged as a modern way to store and manipulate data 
dZhang et al. 2010{|Cavage 2013p . For our purposes, a cloud is a distributed system 
that should produce output as the result of some computation. We use the common 
term “node” as a synonym for an individual computer or server in a network. 

In recent years, logic programming has been proposed as an attractive foundation 
for distributed and cloud programming, building on work in declarative networking 
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(ILoo et al. 2009|) . The essential idea in declarative networking, is that the program¬ 
mer uses a high-level declarative language (like Datalog) to specify only what has 
to happen, and not exactly how. For example, the programmer could specify only 
that certain messages are generated in reply to other messages; the exact technical 
details to send (and possibly resend) messages over transmission protocols are filled 
in by some runtime engine. This frees the programmer from thinking in low-level 
terms that distract from the actual meaning of the specific program at hand. In par¬ 
ticular, complex distributed algorithms and protocols can be expressed in relatively 
few lines of code (I.Tim 20011 lAlvaro et al. 20091 IHellerstein 2010bp . Besides the in¬ 
terest in declarative networking, we are also seeing a more general resurgence of 
Datalog (with negation) (jde Moor et al. 20TT1 [Huang et al. 2011D . Moreover, issues 
related to data-oriented distributed computing are receiving attention at database 
theory conferences (|Hellerstein 2010^ lAmeloot et al. 20111 lAbiteboul et al. 20111 
lAmeloot and Van den Biissche 20121 IZinn et al. 2012^ . 

One of the latest languages proposed in declarative networking is Dedalus (jAlvaro et al. 20091 
I Alvaro et al. 20 lH IHellerstein 2010b)l . a Datalog-inspired language that has influ¬ 
enced other recent language designs for distributed and cloud computing such as 
Webdamlog (|Abiteboul et al. 20 lip and Bloom (jAlvaro et al. 201 I|l . 

Model-based semantics In this paper, we describe the meaning of distributed Datalog 
programs using a model-based semantics. This approach contrasts with most pre¬ 
vious work in declarative networking, where the meaning of programs was typically 
described with an operational semantics (jPeutsch et al. 20061 jNavarro and Rybalchenko 2009[ 
jGrumbach and Wang 20l0|IAmeloot et al. 2011|) . with a few exceptions (jLobo et al. 20121 
IMa et al. 2013|) . 

There are several important motivations for a model-based semantics of a dis¬ 
tributed program. First, we can better separate the program structure, i.e., the 
rules, from the (distributed) implementation that may change over time. For exam¬ 
ple, consider rules that generate messages. These rules can be implemented with 
asynchronous communication, but how we evaluate them across machines is eventu¬ 
ally just a physical performance decision. Said differently, the point of message rules 
is not to model a physical phenomenon, but rather to admit a wider array of physical 
implementations than a local evaluation strategy. Model-based interpretations of a 
program admit all such implementations, and can perhaps suggest some new ones. 

Second, we can investigate the need for time: we can think about when temporal 
delay is needed for expressivity, rather than when it is imposed upon us by some 
implementation detail like physical separation of nodes. In this context we mention 
the CRON conjecture by Hellerstein, that relates causality on messages to the na¬ 
ture of the computations in which those messages participate (jHellerstein 2010bl 
lAmeloot and den Bussche 2014^ . We elaborate on causality below. 

Concretely, our approach will be to model a distributed program with Datalog un¬ 
der the stable model semantics (jCelfond and Lifschitz 19M)) because this semantics 
is widely used in logic programming. Following the language Dedalus (lAlvaro et al. 20fM 
lAlvaro et al. 20 iTl IHellerstein 2010b() . we express the functionality of the distributed 
program with three kinds of rules: “deductive rules” for local computation, “in- 
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ductive rules” for persisting memory across local computation steps, and, “asyn¬ 
chronous rules” for representing message sending. The asynchronous rules will non- 
deterministically choose the arrival times of messages ( [Krishnamurthy and Naqvi 1988| 

ISacca and Zaniolo 1990|) . 

However, using only the above rules is not sufficient, as this still allows stable 
models that express undesirable computations, where messages can be sent “into 
the past”. Therefore, each program is augmented with a set of rules that express 
causality on the messages. Causality stands for the physical constraint that an effect 
can only happen after its cause. Applied to message delivery, this intuitively means 
that a sent message can only be delivered in the future, not in the past. The rules 
for causality reason from the perspective of the local times of each node, which is a 
justihed approach since there is no common “global clock” in a distributed environ¬ 
ment dAttiya and Welch 2004[ ). As a second improvement, we also introduce rules 
to ensure that only a finite number of messages arrive at each local step of a node, 
as occurs in a real distributed system. Applying the stable model semantics to the 
augmented Datalog programs constitutes our modeling of a distributed (Datalog) 
program. 

On another note, it is already well-known that for finite input domains, the com¬ 
bination of Datalog and stable model semantics allows for expressing all problems in 
NP dMarek and Truszczynski 1999| . However, it is not yet clear what can be repre¬ 
sented when infinite input domains are considered. From this perspective, our work 
demonstrates that the stable model semantics is indeed also suitable for modeling 
distributed programs, whose execution is unbounded in time. Here, time would be 
provided as an infinite input. 

Correetness As we have motivated above, our goal is to describe the workings 
of a distributed system declaratively, so that new insights can emerge from this 
perspective. Hence, it is important to verify that the model-based semantics really 
corresponds to the execution of a distributed program. 

To this end, we additionally formalize the execution of a distributed Datalog pro¬ 
gram by means of an operational semantics (|Deutsch et al. 2006l|Navarro and Rybalchenko 200^ 
[Grumbach and Wang 2010}lAmeloot et al. 20 lip . This second semantics is defined 
as a transition system. The transition system is infinite because nodes run in- 
dehnitely and keep sending messages. In addition, the transition system is highly 
nondeterministic, because nodes work concurrently and messages can be delayed. 

We establish rigorously a correspondence between the features of the operational 
semantics and the features of the proposed model-based semantics. To formulate 
our result, we describe each operational execution by a structure that we call a 
trace, which includes for each node in the network the detailed information about 
the local steps it has performed and about the messages it has sent and received. For 
our distributed Datalog programs, we show that such operational traces correspond 
to the set of stable models. 

Outline This paper is organized as follows. First, Section [2 discusses related work. 

Section [2 gives preliminaries. Next, Section 0] represents distributed Datalog pro- 
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grams under the model-based semantics; this section is based on Dedalus, a Datalog¬ 
like language. Section O justifies the intuitions of the model-based semantics by 
establishing an equivalence with an operational semantics. Section [S] finishes with 
the conclusion. 


2 Related Work 

The work of ILobo et al.l(j2()12[) is closely related to our work. For a Dedalus-inspired 
language, they give a model-theoretic semantics based on answer set programming, 
i.e., stable models. To define this semantics, they syntactically translate the rules 
of their language to Datalog, where all literals are given an explicit location and 
time variable, to represent the data that each node has during each local time. 
This translation resembles the model-theoretic semantics for distributed Datalog 
programs in this paper. To enforce natural execution properties in their seman¬ 
tics, like causality, Lobo et al. specify auxiliary rules in the syntactical translation. 
The work of ILobo et al.l (|2012|1 does not yet mention the connection between the 
model-theoretic semantics and desired executions of a distributed system, i.e., an 
operational semantics. 

Extending the work of Lobo et al, the work of IMa et ahl (|2013|1 formalizes a 
distributed system as a composition of I/O automata ( [Lynch 1996[ ). An operational 
execution of such a system is a sequence of valid transitions, called a trace. Global 
properties of the system can be analyzed by translating it into a logic program, to 
which an answer set solver can be applied. Ma et al. mention that operational traces 
of the system correspond to answer sets of the logic program, and that this provides 
a formal foundation for the analysis tools based on answer set programming. Thus, 
the work of IMa et al.l (|2013|) indicates a practical benefit of having a correspondence 
between a declarative and operational semantics for languages used in declarative 
networking. As mentioned above, we also establish a similar correspondence in 
the current paper, for our distributed Datalog programs. We note, however, a few 
differences between our work and that of Ma et al. First, in the work of Ma et al, 
the message buffer of a node has a maximum size. In our operational semantics, 
the buffers are unbounded. Moreover, Ma et al. construct their logic programs for 
a fixed range of timestamps. In our declarative, model-based semantics, time is 
given as an infinite input to a Datalog program whose rules are independent of a 
fixed time range. Lastly, our work devotes much attention to rigorously showing the 
correspondence between the declarative and operational semantics, whereas this is 
not elaborated in the work of Ma et al. 

Also in the setting of distributed systems, linterlandi et al.l(l2013|l give a Dedalus- 
inspired language for describing synchronous systems. In such systems, the nodes 
of the network proceed in rounds and the messages can not be arbitrarily delayed. 
During each round, the nodes share the same global clock. Interlandi et al. specify an 
operational semantics for their language, based on relational transducer networks 
([Ameloot et al. 20I8p . They also show that this operational semantics coincides 
with a model-theoretic semantics of a single holistic Datalog program. It should 
be noted that ILobo et al.l (j2()12|l . and the current paper, deal with asynchronous 
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systems, that in general pose a bigger challenge for a distributed program to be cor¬ 
rect, i.e., the program should remain unaffected by nondeterministic effects caused 
by message delays. 

An area of artihcial intelligence that is closely related to declarative networking is 
that of programming multi-agent systems in declarative languages. The knowledge 
of an agent can be expressed by a logic program, which also allows for non-monotone 
reasoning, and agents update their knowledge by modifying the rules in these 
logic programs (|Leite et al. 20021 |Nigam and Leite 2006| ILeite and Soares 2007^ . 

The language LUPS (lAlferes et al. 200^ was designed to specify such dynamic 
updates to logic programs, and LUPS is also a declarative language itself. After 
applying a sequence of updates specihed in LUPS, the semantics of the resulting 
logic program can be defined in an inductive way. But an interesting connection 
to this current work, is that the semantics can also be given by first syntactically 
translating the original program and its updates into a single normal logic program, 
after which the stable model semantics is applied (lAlferes et al. 200^ . It should be 
noted however that in this second semantics, there is no modeling of causality or 
the sending of messages. 

Of course, logic programming is not the only means for specifying a (distributed) 
system. For example, in the area of formal methods, logic-based languages like 
TLA ( [Lamport 2000aD , Z ([Woodcock and Davies 1996)) . and Event-B ([Abrial 2010|) 
can be used to specify various distributed algorithms. Specifications written in these 
languages can also be automatically checked for correctness. 

Although we work within the established setting of declarative networking (|Loo et al. 20091) . 
the scientific debate on the merits of Datalog versus other formalisms for program¬ 
ming distributed systems remains open. It seems desirable to have an analysis of 
how features of Datalog relate to the features of other languages for formal specifi¬ 
cation, e.g. ( [Lamport 2000a| [Woodcock and Davies 19961 1 Abrial 2010)) . both on the 
syntactical and the semantical level. However, a deep understanding of the other 
languages would be needed. Moreover, one may expect that features of Datalog will 
in general not map naturally to features of the other languages. Hence, we consider 
such a comparison to be a separate research project, outside the scope of the current 
paper. 


3 Preliminaries 
3.1 Database Basics 

A database schema V is a finite set of pairs (B, k) where A is a relation name 
and A: G N its associated arity. A relation name occurs at most once in a database 
schema. We often write {R, k) as R/k. 

We assume some infinite universe dom of atomic data values. A fact / is a pair 
(i?, a), often denoted as R{d), where i? is a relation name and a is a tuple of values 
over dom. For a fact i?(a), we call R the predicate. We say that a fact R{ai,..., at) 
is over database schema D ii R/k € D. A database instance I over is a set of 
facts over V. For a subset V C D, we write /ju' to denote the subset of facts in 
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I whose predicate is a relation name in V. We write adom{I) to denote the set of 
values occurring in facts of I. 


3.2 Datalog with Negation 

We recall Datalog with negation (lAbiteboul et al. 1995(1 . abbreviated Datalog”'. We 
assume the standard database perspective, where a Datalog”' program is evaluated 
over a given set of facts, i.e., where these facts are not part of the program itself. 

Let var be a universe of variables, disjoint from dom. An atom is of the form 
R(ui ,..., Uk) where i? is a relation name and Ui G varUdom for each i = 1,..., k. 
We call R the predicate. If an atom contains no data values, we call it constant-free. 
A literal is an atom or an atom with “-i” prepended. A literal that is an atom is 
called positive and otherwise it is called negative. 

It will be technically convenient to use a slightly unconventional dehnition of 
rules. Formally, a Datalog”' rule ip is a triple 

(head^, pos^, neg,^) 

where head,^ is an atom; pos^^ and neg,^ are sets of atoms; and, the variables in p 
all occur in pos,^. This last condition is called safety. The components head^p, pos^ 
and neg^, are called respectively the head, the positive body atoms and the negative 
body atoms. We refer to pos^, U neg^, as the body atoms. Note, neg^, contains just 
atoms, not negative literals. Every Datalog”' rule p must have a head, whereas pos,p 
and neg^, may be empty. If neg^, = 0 then p is called positive. 

A rule p may be written in the conventional syntax. For instance, if headp = 
T(u, v), pos^ = {i?(u, v)} and neg,p = {S'(v)}, with u, v G var, then we can write 
p as 

r(u,v) ^ A(u,v), -.5(v)- 

The specific ordering of literals to the right of the arrow has no significance in this 
paper. 

The set of variables of p is denoted vars{p). If vars{p) = 0 then p is called 
ground, in which case {headip} Upos^ U neg,^ is a set of facts. 

Let be a database schema. A rule p is said to be over schema T> if for each atom 
R{ui,..., Uk) G {head,p} U pos,^ U neg,^ we have R/k G T>. A Datalog”' program 
P over V is a set of (safe) Datalog^ rules over V. We write sch{P) to denote the 
smallest database schema that P is over; note, sch{P) is uniquely dehned. We define 
idb{P) C sch{P) to be the database schema consisting of all relations in rule-heads 
of P. We abbreviate edb{P) = sch{P) \i(i6(P)0 

Any database instance I over sch{P) can be given as input to P. Note, I may 
already contain facts over zd6(P)H Let p G P. A valuation for (p is a total function 
V : vars{p) -e- dom. The application of V to an atom R{ui,..., Uk) of p, denoted 


^ The abbreviation “idb” stands for “intensional database schema” and “edb” stands for “exten- 
sional database schema” ijAbiteboul et al. 1995b . 

^ The need for this will become clear in Section 0 
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V{R{ui ,..., Uk)), results in the fact R{ai ,..., a^) where for each i € {1,..., fc} we 
have tti = V(ui) if Ui € var and Ui = Ui otherwise. In words: applying V replaces 
the variables by data values and leaves the old data values unchanged. This is 
naturally extended to a set of atoms, which results in a set of facts. Valuation V 
is said to be satisfying for (p on I if V{pos^) C I and V{neg^) fl / = 0. If so, p is 
said to derive the fact VQiead^). 


3.2.1 Positive and Semi-positive 

Let P be a Datalog”' program. We say that P is positive if all rules of P are positive. 

We say that P is semi-positive if for each rule (p € P, the atoms of neg^ are over 
edb(P). Note, positive programs are semi-positive. 

We now give the semantics of a semi-positive Datalog^ program P (|Abiteboul et al. 1995^ . 
First, let Tp be the immediate consequence operator that maps each instance J 
over sch{P) to the instance J' = J U A where A is the set of facts derived by all 
possible satisfying valuations for the rules of P on J. 

Let I be an instance over sch{P). Consider the infinite sequence Iq, R, R, etc, 
inductively defined as follows: R = I and R = Tp{R-i) for each i>f. The output 
of P on input /, denoted P(d), is defined as Ij] this is the minimal Gxpoint of 
the Tp operator. Note, / C P{I). When I is finite, the fixpoint is finite and can be 
computed in polynomial time according to data complexity (|Vardi 198211 . 


3.2.2 Stratified Semantics 

We now recall the stratified semantics for a Datalog^ program P (jAbiteboul et al. 1995^ . 
As a slight abuse of notation, here we will treat idb{P) as a set of only relation 
names (without associated arities). First, P is called syntactically stratiGable if 
there is a function a : idb{P) -y {!,..., \idb{P)\} such that for each rule p £ P, 
having some head predicate T, the following conditions are satisfied: 

• cr(P) < a{T) for each R{u) £ pos^\idb{p)', 

• a{R) < a{T) for each R(u) £ neg^\idb{p)- 

For R £ idb{P), we call cr(P) the stratum number of R. For technical convenience, 
we may assume that if there is an P G idb{P) with a{R) > 1 then there is an 
S £ idb{P) with a{S) = cr{R) — 1. Intuitively, function a partitions P into a 
sequence of semi-positive Datalog”' programs Pi, ..., Pk with k < \idb{P)\ such 
that for each i = 1,... ,k, the program Pi contains the rules of P whose head 
predicate has stratum number i. This sequence is called a syntactic stratification of 
P. We can now apply the stratified semantics to P: for an input / over sch{P), we 
first compute the fixpoint Pi(/), then the fixpoint P 2 (Pi(/)), etc. The output of 
P on input /, denoted P(/), is defined as Pk{Pk-i{- ■ ■ Pi{I) ■ ■ •))■ It is well known 
that the output of P does not depend on the chosen syntactic stratification (if more 
than one exists). Not all Datalog”' programs are syntactically stratifiable. 
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3.2.3 Stable Model Semantics 

We now recall the stable model semantics for a Datalog^ program P (jGelfond and Lifschitz 19881 
ISacca and Zaniolo 1990p . Let I be an instance over sch{P). Let (p G P. Let V be 
a valuation for tp whose image is contained in adom{I) U (7, where C is the set of 
all constants appearing in P. Valuation V does not have to be satisfying for (p on 
I. Together, V and (p give rise to a ground rule ip, obtained from ip by replacing 
each u G varsipp) with V{u). We call ip a ground rule of p with respect to /. Let 
ground{p, I) denote the set of all ground rules of p with respect to /. The ground 
program of P on /, denoted ground{P, /), is defined as 9 found{p, I). Note, 

if / = 0, the set ground{P, I) contains only rules whose ground atoms are made 
with (7, or atoms that are nullary. 

Let M be another instance over sch{P). We write groundj^{P, I) to denote the 
program obtained from ground{P, I) as follows: 


1. remove every rule ip G ground{P, I) for which neg^ fl M 7 ^ 0; 

2 . remove the negative (ground) body atoms from all remaining rules. 


Note, groundj^{P, I) is a positive program. We say that M is a stable model of P 
on input I it M is the output of groundj^f{P^ I) on input I. If so, the semantics of 
positive Datalog^ programs implies / CM. Not all Datalog^ programs have stable 
models on every input (jGelfond and Lifschitz 1988]) . 


3.3 Network and Distributed Databases 

A (computer) network is a nonempty finite set Af of nodes, which are values in dom. 
Intuitively, Af represents the identifiers of compute nodes involved in a distributed 
system. Communication channels (edges) are not explicitly represented because we 
allow a node x to send a message to any node y, as long as x knows about y by 
means of input relations or received messages. For general distributed or cluster 
computing, the delivery of messages is handled by the network layer, which is 
abstracted away. But (Datalog) programs can also describe the network layer itself 
(ILoo et al. 20091 IHellerstein 20I0bj) . in which case we would restrict attention to 
programs where nodes only send messages to nodes to which they are explicitly 
linked; these nodes would again be provided as input. 

A distributed database instance H over a network Af and a database schema V 
is a function that maps every node of Af to an ordinary finite database instance 
over D. This represents how data over the same schema is spread over a network. 

As a small example of a distributed database instance, consider the following 
instance H over a network Af = {x,y} and a schema V = {R/t, -S'/!}: H[x) = 
{R{a), S{b)} and H{y) = {R{a), -S'(c)}. In words: we put facts R{a) and S{b) at 
node X, and we put facts R[a) and S(c) at node y. Note that it is possible that the 
same fact is given to multiple nodes. 
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4 Model-Based Semantics 

Here we describe a class of distributed Datalog^ programs that we give a model- 
based semantics. First, in Section HTTl we recall the user language Dedalus, that is 
based on Datalog”' with annotations, in which the programmer can express the func¬ 
tionality of the distributed program. Next, we discuss how to assign a declarative, 
model-based semantics to Dedalus programs. This semantics consists of applying 
the stable model semantics to the Dedalus programs after they are transformed 
into pure Datalog”' programs, i.e., without annotations. We introduce some aux¬ 
iliary notations and symbols in Section [121 Next, in Section l473l we give a basic 
transformation of Dedalus programs in order to apply the stable model seman¬ 
tics. However, this basic transformation has some shortcomings, that we iteratively 
correct in Sections KM and KB 


4-1 User Language: Dedalus 

Our user language for distributed Datalog^ programs is Dedalus ([Alvaro et al. 20091 
I Alvaro et al. 20 lH IHellerstein 2010b)l . here presented as Datalog^ with annota- 
tionsU Essentially, the language represents updatable memory for the nodes of 
a network and provides a mechanism for communication between these nodes. 


4-1.1 Syntax 

Let 2? be a database schema. We write B{v}, where v is a tuple of variables, to 
denote any sequence /3 of literals over database schema V, such that the variables 
in P are precisely those in the tuple v. Let i?(u) denote any atom over D. There 
are three types of Dedalus rules over D\ 

• A deductive rule is a normal Datalog”' rule over D. 

• An inductive rule is of the form 

R{u)» 4— B{u, v}- 

• An asynchronous rule is of the form 

R(u) I y ^ B{u,v,y}- 

For asynchronous rules, the annotation ‘| y’ with y € var means that the derived 
head facts are transferred (“piped”) to the addressee node represented by y. Deduc¬ 
tive, inductive and asynchronous rules will express respectively local computation, 
updatable memory, and message sending. As in Section 1?^ a Dedalus rule is called 
safe if all its variables occur in at least one positive body atom. 

We already provide some intuition of how asynchronous rules operate. There are 
four conceptual time points involved in the execution of an asynchronous rule: the 
time when the body is evaluated; the time when the derived fact is sent to the 
addressee; the time when the fact arrives at the addressee; and, the time when 


® These annotations correspond to syntactic sugar in the previous presentations of Dedalus. 
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the arrived fact becomes visible at the addressee. In the model-based semantics 
presented later, the first two time points coincide and the last two time points 
coincide; and, there is no upper bound on the interval between these two pairs, 
although it will be finite. 

Now consider the following definition: 

Definition f.l 

A Dedalus program over a schema D is a set of deductive, inductive and asyn¬ 
chronous Dedalus rules over V, such that all rules are safe, and the set of deductive 
rules is syntactically stratifiable. 

In the current work, we will additionally assume that Dedalus programs are 
constant-free, as is common in the theory of database query languages, and which 
is not really a limitation, since constants that are important for the program can 
always be indicated by unary relations in the input. 

Let 'P be a Dedalus program. The definitions of sch{V), idb{'P), and edb{'P) are 
like for Datalog”' programs. An input for P is a distributed database instance over 
some network Af and the schema edb{V). 

4-1.2 Semantics Sketch 

We sketch the main idea behind the semantics of a Dedalus program V. We illustrate 
the semantics in Section 14.1.31 

Let H be an input distributed database instance for V, over a network JV. The 
idea is that all nodes x € J\f run the same program V and use their local input 
fragment H{x) to do local computation and to send messages. Conceptually, each 
node of M should be thought of as doing local computation steps, indefinitely. 
During each step, a node reads the following facts: (i) the local input; (ii) some 
received message facts, generated by asynchronous rules on other nodes or the 
node itself; and, (in) the facts derived by inductive rules during the previous step 
on this same node. Next, the deductive rules are applied to these available facts, to 
compute a fixpoint D under the stratified semantics. 

Subsequently, the asynchronous and inductive rules are fired in parallel on the 
deductive fixpoint D, trying all possible valuations in single-step derivations (i.e., 
no fixpoint). The asynchronous rules send messages to other nodes or to the same 
node. Messages arrive after an arbitrary (but finite) delay, where the delay can vary 
for each message. The inductive rules store facts in the memory of the local node. 
The effect of an inductive derivation is only visible in the very next step; so, if a fact 
is to be remembered over multiple steps, it should always be explicitly rederived by 
inductive rules. 


4-1.3 Examples 

We consider several examples to demonstrate the three kinds of Dedalus rules, and 
how they work together. These examples also illustrate the utility of Dedalus when 
applied to some practical problems. Here, we follow the principle that the output 
on a node x consists of the facts that are eventually derived during every step of x. 
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marked(u) | y start(u), Node(y)- 

marked(u)» •(— marked(u)- 

marked(v) •(—marked(u), 7J(u, v)- 

vert(u) •«— _R(u, v)- 

vert(u) •<— _R(v, u)- 

missing() <— vert(u), -imarked(u)- 

covered() <— -imissing( )■ 


Figure 1. Dedalus program for Example [T] 


Example 1 

In this example we compute reachable vertices on graph data. Consider the Dedalus 
program?^ in FigurelU We assume the edb relations R/2, start/1, and Node/1. For 
each node, relation R describes a local graph, and relation start provides certain 
starting vertices. In any input distributed database instance H over a network A/”, 
we assume that for each node, relation Node is initialized to contain all nodes of A/”; 
intuitively. Node can be regarded as an address book for A/". 

Now, the idea is that each node of N will check whether all of its local vertices are 
reachable from the (distributed) start vertices. Communication is needed to share 
these start vertices, which is accomplished by the asynchronous rule. The receipt of a 
start vertex initializes a local relation marked/1 at each node; this relation contains 
reachable vertices. The inductive rule says that all reachable vertices that we know 
during the current step, are remembered in the next step. This way, the effect of the 
communication is preserved. Moreover, the third rule, which is deductive, collects all 
local graph vertices reachable from the currently known reachable vertices. Note, 
the inductive rule will cause the result of this deductive computation to be also 
remembered in the next step, although this effect is not really needed here. The 
last four rules, which are deductive, check that all local vertices are reachable from 
the start vertices seen so far; if so, a local flag covered() is derived. 

In our semantics, we will enforce that all messages eventually arrive. In such a 
semantics, eventually a node will produce covered() during each step iff all its 
local vertices are reachable from the distributed start vertices. □ 


Example 2 

In this example we generate a random ordering of a set through asynchronous 
delivery of messages. Every node generates a random ordering of a local edb relation 
S/1 that represents an input set. We also assume an edb relation Id/I that contains 
on each node the identifier of that node; the relation Id allows a node to send a 
message to itself. The idea is that a node sends all elements of S to itself as messages, 
and the arbitrary arrival order is used to generate an ordering of the elements. This 



12 


Ameloot et al. 


ordering depends on the execution, and some executions will not lead to orderings 
if some elements are always jointly delivered. 

The corresponding program is shown in Figured We use relation M/1 to send the 
elements of S, as accomplished by the single asynchronous rule. The relations F/I 
and N/2 represent the ordering of S so far, and they are considered as the output 
of the program; the letters ‘F’ and ‘N’ stand for “first” and “next” respectively. 
For example, a possible ordering of the set {a, b, c, d} could be expressed by the 
following facts: F{d), N{d, c), N{c, b), N{b, a). 

Inductive rules are responsible for remembering the iteratively updated versions 
of F and N. The other rules are deductive, and they can conceptually be executed 
in the order in which they are written. The main technical challenge is to only 
update the ordering when precisely one element of S arrives; otherwise, because 
we have no choice mechanism, we would accidentally give the same ordinal to two 
different elements. Checking whether we may update the ordering is accomplished 
through other auxiliary relations. We use a nullary relation started as a flag to 
know whether we still have to initialize relation F or not. 

Note that the program keeps sending all elements of S through the single asyn¬ 
chronous rule. Alternatively, by adapting the program, we could send the elements 
only once by making sure the asynchronous rule is fired only once (in parallel for all 
elements of S). In that case, as soon as two elements are later delivered together, 
the ordering will not contain all elements. □ 

Example 3 

This example is inspired by commit protocols that were expressed in a precursor 
language of Dedalus (| Alvaro et al. 20091) . particular, we implement a two-phase 
commit protocol where agents, represented by nodes, vote either “yes” or “no” for 
transaction identifiers. Such a protocol could be part of a bigger system, where 
transactions are distributed across agents and each agent may only perform the 
transaction locally if all agents want to do this. A single coordinator node is re¬ 
sponsible for combining the votes for each transaction identifier t: the coordinator 
broadcasts “yes” for t if all votes for t are “yes”, and “no” otherwise. Each agent 
stores the decision of the coordinator. 

Because the agents and the coordinator have different roles, we make two separate 
Dedalus programs 0 First, the agent nodes are assigned the following simple Dedalus 
program, whose relations are explained below: 

vote(t,x,v) I y ■<—myVote(t, v), Id(x), coord(y)- 

outcome(t, v)* ■<— outcome(t, v)- 

Here, the edb relations are: myVote/2 that maps each transaction identifier t to 
a local vote “yes” or “no”, Id/1 storing the identifier of the agent, and coord/I 

In our formal definitions, all nodes execute the same Dedalus program. However, it is easy to 
simulate two different programs by giving every node the union of both programs, but using a 
flag to guard the rules of each program. In this example, we can then assume that one node 
gets a “coordinator” flag as input, and the other nodes get an “agent” flag as input. 
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M(u) I X •<— ^(u), Id(x)- 

used(u) •<— 
used(u) •<— N(u,v)- 
used(u) •<— iV(v,u)- 
new(u) ■<— M{u), -iused(u)- 
eq(u, u) •<— S'(u)- 

two() new(u), new(v), -ieq(u, v)- 
keep(u) new(u), -itwo()- 
notlast(u) •«— N{u,v)- 
last(u) ■(— F(u), -inotlast(u)- 
last(u) ■(— iV(v,u), -inotlast(u). 

started() F(u)- 

F{u)» -(r- -istarted(), keep(u)- 

A^(u, v)» -f- started(), last(u), keep(v)- 

F{u)» ^ F{u)- 

N{u,v)» -h- iV(u, v)- 


Figure 2. Dedalus program for Example [H 


storing the identifier of the coordinator. Also, the relations vote/3 and outcome/2 
represent respectively the outgoing votes and the final decision by the coordinator. 

Second, the coordinator node is assigned the Dedalus program shown in Fig¬ 
ure [31 The coordinator has the following edb relations: relation T/1 containing all 
transaction identifiers, relations Y /I and A/1 containing the constants “yes” and 
“no” respectively, and relation agents/1 containing all voting agents. The coordi¬ 
nator uses an inductive rule to gradually accumulate all votes for each transaction 
identifier. Votes can have arbitrary delays, but in our model the delays are always 
finite. In each computation step, the deductive rules at the coordinator recompute 
a relation complete that contains the transaction identifiers for which all votes 
have been received. When a transaction identifier t has at least one “no” vote, the 
coordinator decides “no” for t, and otherwise the coordinator decides “yes” for t. 
The final decision is broadcast to all agents. The coordinator adds the transactions 
with a decision to a log, so the decision will not be broadcast again. □ 


4-2 Auxiliary Notations and Relations 

Let "P be a Dedalus program. Let R/k € sch{V). We will use facts of the form 
R{x, s, ai, ..., Ok) to express that fact i?(ai,..., afc) is present at a node x during 
its local step s, with s € N, after the deductive rules are executed. We call x the 



14 


Ameloot et al. 


vote(t, X, v)» •<— vote(t, x, v)- 

known(t,x) vote(t, x, v)- 

missing(t) •<— r(t), agent(x), -iknown(t, x)- 

complete(t) •<— T(t), -imissing(t)' 

decideNo(t) ■<—votes(t, x, v), N{v)- 

decideYes(t) -f- complete(t), -idecideNo(t)' 

outcome(t,v) | y decideNo(t), -'log(t), N(y), agent(y)- 
outcome(t,v) | J decideYes(t), -ilog(t), Y(y), agent(y)- 
log(t)» <— complete(t)- 
log(t)» ^ log(t). 


Figure 3. Dedalus (coordinator) program for Example El 


location specifier and s the timestamp. In order to represent timestamps, we assume 

N C dom. 

We write sch(P)^'^ to denote the database schema obtained from sch{V) by 
incrementing the arity of every relation by two. The two extra components will 
contain the location specifier and timestampH For an instance I over sch(V), x € 
dom and s G N, we write to denote the facts over sch(V)^'^ that are obtained 
by prepending location specifier x and timestamp s to every fact of I. Also, if L 
is a sequence of literals over sch{'P), and x, s G var, we write to denote the 

sequence of literals over sch{'P)^'^ that is obtained by adding location specifier x 
and timestamp s to the literals in L (negative literals stay negative). 

We also need auxiliary relation names, that are assumed not to be used in sch(V); 
these are listed in Table [li^ The concrete purpose of these relations will become 
clear in the following subsections. 

We define the following schema 

T»time = {time/1, tsucc/2, </2, yf/2}- 

The relations ‘<’ and ‘yf’ will be written in infix notation in rules. We consider only 
the following instance over T>time- 

Itime = {time(s), tsucc(s, S + 1) I s G N} 

U {(s < t) I s, t G N : s < t} 

U K® yf t) I s, t G N : S yf t}- 

Intuitively, the instance /time provides timestamps together with relations to com¬ 
pare them. 

® The abbreviation ‘LT’ stands for “location specifier and timestamp”. 

® In practice, auxiliary relations can be differentiated from those in sch{'P) by a namespace 
mechanism. 
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Table 1. Relation names not in sch{V). 


Relation Names 

Meaning 

all 

network 

time, tsucc, <, 

timestamps 

before 

happens-before relation 

candij, chosen_R, others, for each 
relation name R in idb{'P) 

messages 

hasSender, isSmaller, hasMax, 

rcvinf 

only a finite number of messages ar¬ 
rive at each step of a node 


4-3 Dynamic Choice Transformation 

Let V he a Dedalus program. We describe the dynamic choice transformation to 
transform V into a pure Datalog”' program pur(7^)- The most technical part of 
the transformation involves the use of dynamic choice to select an arrival timestamp 
for each message generated by an asynchronous rule. The actual transformation is 
presented first; next we give the semantics; and, lastly, we discuss how the trans¬ 
formation can be improved. 


4-3.1 Transformation 

We incrementally construct pure^^{V). In particular, for each rule in 7^, we specify 
what corresponding rule (or rules) should be added to pure^^{V). For technical 
convenience, we assume that rules of V always contain at least one positive body 
atom. This assumption allows us to more elegantly enforce that head variables in 
rules of pure^Y^lV) also occur in at least one positive body atom0Let x, s, t, t' e var 
be distinct variables not yet occurring in rules of V. We write B{v}, where v is a 
tuple of variables, to denote any sequence (3 of literals over sch{V), such that the 
variables in /3 are precisely those in v. Also recall the notations and relation names 
from Section ing 

Deductive rules For each deductive rule R(u) ^ B{u, v} in V, we add to pure^-^lfP) 
the following rule: 

i?(x, s, u) ^ B{u, • (1) 


^ This assumption is not really a restriction, since a nullary positive body atom is already suffi- 
cient. 
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This rule expresses that deductively derived facts at some node x during step s 
are (immediately) visible within step s of x. Note, all atoms in this rule are over 
sch{'P)^'^. 

Inductive rules For each inductive rule i?(u)* ^ B{u, v} in V, we add to pure^-^{V) 
the following rule: 

i?(x,t,u) ^ B{u, tsucc(s,t) ■ (2) 

This rule expresses that inductively derived facts becomes visible in the next step 
of the same node. 

Asynchronous rules We use facts of the form all(x) to say that x is a node of the 
network at hand. We use facts of the form cand/{(x, s, y, t, a) to express that node x 
at its step s sends a mess^e R{d) to node y, and that t could be the arrival times¬ 
tamp of this message at j/lf| Within this context, we use a fact chosen/{(x, s, y, t, o) 
to say that t is the effective arrival timestamp of this message at y. Lastly, a fact 
otherfl(x, s, y, t, a) means that t is not the arrival timestamp of the message. Now, 
for each asynchronous rule 

R{n) I y ^B{u,v,y} 

in V, letting w be a tuple of new and distinct variables with |w| = |u|, we add to 


pure^Yii'P) following rules, for which the intuition is given below: 

candfl(x, s, y, t, u) ^ B{u, v, y}^’'’^ all(y), time(t) • (3) 

chosenfl(x, s, y, t, w) ^ candfl(x, s, y, t, w), -.otherfl(x, s, y, t, w) • (4) 

otherfl(x, s, y, t, w) •<— candfl(x, s, y, t, w), chosenfl(x, s, y, t^, w), t ^ (5) 

i?(y,t,w) ^ chosenfl(x, s,y,t,w) • (6) 

Rule (IH) represents the messages that are sent. It evaluates the body of the 


original asynchronous rule, verihes that the addressee is within the network by 
using relation all, and it generates all possible candidate arrival timestamps. 

Now remains the matter of actually choosing one arrival timestamp amongst 
all these candidates. Intuitively, rule (|1]) selects an arrival timestamp for a message 
with the condition that this timestamp is not yet ignored, as expressed with relation 
others. Also, looking at rule (I5|), a possible arrival timestamp t becomes ignored 
if there is already a chosen arrival timestamp t' with t ^ t'. Together, both rules 
have the effect that exactly one arrival timestamp will be chosen under the stable 
model semantics. This technical construction is due to ISacca and Zaniolol H1990|) . 
who show how to express dynamic choice under the stable model semantics. 

Rule ([S]) represents the actual arrival of an i?-message with the chosen arrival 
timestamp: the data-tuple in the message becomes part of the addressee’s state for 
relation R. When the addressee reads relation R, it thus transparently reads the 
arrived i?-messages. 


Here, ‘cand’ abbreviates “candidate”. 
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Note, if multiple asynchronous rules in V have the same head predicate R, only 
new candfl-rules have to be added because the rules (3])-® are general for all 
i?-messages. 

Note that if there are asynchronous rules in V, program pure^^^{V) is not syn¬ 
tactically stratifiable if a cand^-rule contains a body atom that (indirectly) neg¬ 
atively depends on rE In that case, pure^-^{V) might not even be locally stratifi¬ 
able ( [Apt and Bol 19941 . 


4-3.2 Semantics 

Now we define the semantics of pure^i^iV). Let H be an input distributed database 
instance for V, over a network A/”. Using the notations from Section 321 we define 
decl{H) to be the following database instance over the schema e(i&(7^)^'^U{all/l}U 
T^time ■ 

decl{H) = {R{x, s,d) \ X G TV, s S N, R{d) G H{x)} 

U {all(3;) I X G TV} U /time' 

In words: we make for each node its input facts available at all timestamps; we 
provide the set of all nodes; and, /time provides the timestamps with comparison 
relations0 Note, instance decl{H) is infinite because N is infinite. 

The stable model semantics for Datalog^ programs is reviewed in Section 13. 2. Ill 
Consider now the following definition: 

Definition 4-2 

For an input distributed database instance H for V, we call any stable model of 
pure^Yii'P) on input decl(H) a choice-model of V on input H. 


4-3.3 Possible Improvement 

We illustrate a shortcoming of the dynamic choice transformation. Consider the 
Dedalus program V in FigureS) We assume that in each input distributed database, 
the edb relation Id/1 contains on each node just the identifier of this node. This way, 
the node can send messages to itself. Relation T is the intended output relation of V. 
The idea is that a node sends A() to itself continuously. When A{ ) arrives, we send 
B{), but we also want to create an output fact T(). We only create T{ ) when B{) is 
absent. When B{) is received, it is remembered by inductive rules. Now, we see that 
the delivery of at least one A{) is necessary to cause b. B{) to be sent. This creates 
the expectation that r() is always created: at least one A() is delivered before any 
B{). This intuition can be formalized as causality ( |Attiya and Welch 2004[ ) (see 
also Section [5. 2. II) . 

However, this intuition is violated by some choice-models of V, as we demonstrate 


® Indeed, candjj is used to compute R, but R is also used to compute candfl, giving a cycle 
through negation. 

For simplicity we already include relation < in this definition, although this relation will only 
be used later. 











18 


Ameloot et al. 



Figure 4. Dedalus program sensitive to non-causality. 


next. Consider the input distributed database instance H over a singleton network 
{z} that a ssig ns the fact Id( 2 ) to 2 . Now, consider the following choice-model M 
of V on FtET 


M = decl{H) U U 


U U Mb"'', 


where 

M™'^ = {candyi( 2 , s, z,t) \ s,t € N} 

U {chosen^( 2 , 5, 2 , s -|- 1) | s G N} 

U {otheryi( 2 , s, z,t) \ s,t t ^ s + 1}; 

M^"''= {^( 2 ,s) I s eN, s > 1}; 

M™'^ = {candB( 2 , s, z,t) \ s,t gN, s > 1} 

U{chosenB( 2 , 1 , 2 , 0 )} 

U {chosenB( 2 , s, 2 , s -|- 1) | s G N, s > 2} 

U {otherB( 2 ,1, 2 , t) | t G N, t 7 ^ 0} 

U {otherB( 2 , s, 2 , t) | s, t G N, s > 2, t 7 ^ s -|- 1}; 

{5(2,s) I s G N}- 

In M™'^, note that one i?-message is sent at timestamp 1 of 2 , and arrives at times¬ 
tamp 0 of 2 . We immediately see that this message is peculiar: we should not be 

able to send a message to arrive in the past. Because of the stray message B{), 

the fact B{) exists at all timestamps: it arrives at timestamp 0 and is henceforth 
persisted by the inductive rule for relation B; this is modeled by set M^''. Subse¬ 
quently, there are no ground rules of the form T{z, s) <— A(z, s) with s G N in the 
ground program ground(C, I), where C = pure^^{V) and I = decl{H). 

In the next subsection, we exclude such unintuitive stable models using an ex¬ 
tended transformation of Dedalus programs. 


Using straightforward arguments, it can indeed be shown that M is a stable model of pure^^iV) 
on decl{H). 
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4.4 Causality Transformation 

Let 7^ be a Dedalus program. In this section, we present the causality transfor¬ 
mation pure^JfP) that extends pure^^{V) to exclude the unintuitive stable models 
that we have encountered in the previous subsection. We first present the new 
transformation, and then we discuss how the transformation can still be improved. 


4-4-i Transformation 

We define pure^^{V) again incrementally. First, we transform deductive and induc¬ 
tive rules just as in pure^-^{V). 

Next, we use facts of the form bef ore(a;, s, 2 /, t) to express that local step s of 
node X happens before local step t of node y. Regardless of V, we always add the 
following rules to pure^^{V): 

bef ore(x, s, x, t) all(x), tsucc(s, t) • (7) 

bef ore(x, s, y, t) bef ore(x, s, z, u), bef ore(z, u, y, t) ■ (8) 

Rule ([7]) expresses that on every node, a step happens before the next step. Rule 
([5|) makes relation before transitive. 

Now, for each asynchronous rule 

R(u) I y ^B{u,v,y} 

in V, we add to pure^^{V) the previous transformation rules ([1]), ([S]) and ([21) (omit¬ 
ting the candfl-rule), and we add the following new rules, where w is a tuple of new 
and distinct variables with |w| = |u|, and x, s, and t are also new variables: 

candfl(x, s, y, t, u) ^ B{u, v, y}^^’^ all(y), time(t), 

-ibef ore(y, t, x, s)- 

bef ore(x, s, y, t) ■<— chosenfl(x, s, y, t, w) • (10) 

Like the old rule rule represents the messages that are sent, but now can¬ 
didate arrival timestamps are restricted by relation before to enforce causality. 
Intuitively, this restriction prevents cycles from occurring in relation before. This 
aligns with the semantics of a real distributed system, where the happens-before 
relation is a strict partial order ( [Attiya and Welch 2004[ ) (see also Section 15.2.1|) . 

Rule (fTU)) adds the causal restriction that the local step of the sender happens 
before the arrival step of the addressee. Together with the previously introduced 
rules © and ([5]), this will make sure that when the addressee later causally replies 
to the sender, the reply — as generated by a rule of the form ([5]) — will arrive after 
this first send-step of the sender. 

Remark 1 

The new program pur(7^) excludes unintuitive models like the one in Section r4.8.3l 
In the context of that particular example, it will be impossible to exhibit a stable 
model of pure^^{'P) in which B{ ) is sent to timestamp 0. Indeed, B{ ) can only be 
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sent starting from timestamp 1 ; timestamp 0 at z (locally) happens before times¬ 
tamp 1 at z; and, the negative before-literal in rule Q will prevent sending from 
timestamp 1 at z to timestamp 0 at z. Also in scenarios where different nodes x 
and y send messages to each other, when node x replies to a message of node y 
sent at timestamp s of y, node x can not send the reply to a timestamp t ol y with 
t < s. 


4.4-2 Semantics 

The semantics of the causality transformation is the same as for the dynamic choice 
transformation: 

Definition 4-3 

For an input distributed database instance H for V, we call any stable model of 
pure^^(V) on input decl{H) a causal model of V on input H. 


4-4-3 Possible Improvement 

We illustrate a shortcoming of the causality transformation. Consider the Dedalus 
program V in Figure We assume that in each input distributed database, the 
edb relation contact/1 contains intended recipients of messages. Relation T serves 
as the output relation of V. The idea is that a node sends A {) to its recipients 
continuously. When A{) arrives, a recipient sets a local flag f irst(). Later, when a 
second A{) arrives, the recipient creates an output fact T{) that we remember by 
means of inductive rules. Intuitively, we expect that T() is always created because 
the fact A() is sent infinitely often to a recipient, making this recipient witness the 
arrival of A{) at (hopefully) two distinct moments. 

However, this intuition is violated by some causal models of V. Consider the input 
distributed database instance H over a network {x, j/} that (only) assigns the fact 
contact(j/) to x. Now, consider the following causal model M oiV cm 

M = ded{H) U U U 

where 

= {candyi(x, s, y,t) \ sfi & N} 

U {chosen, 4 (x, s, 2 /, 0) | s G N} 

U {other/i(x, s, y, t) | s, t G N, t ^ 0}; 

Mr= {A(2/,0)} 

U {f irst(7/, s) I s G N, s > 1}; 

Mbefo"'e = {bef ore(x, s, x, t) | s, t G N, s < t}\ 

U {before(7/, s, y, t) \ s, t € N, s < <}; 

U {before(x, s, y,t) \ s,t € N} 


Using straightforward arguments, it can be shown that M is a stable model of pure^fiV) on 
decl(H). 
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Figure 5. Dedalus program sensitive to infinite message grouping. 

In this causal model, all instances of message A{) that x sends to y arrive at 
timestamp 0 of y. For this reason, node y can not witness two different arrivals 
of message ^(). In practice, however, node y can not receive an infinite number 
of messages during a timestamp, and the deliveries of the A{) messages would 
be spread out more evenly in time. So, in the next subsection, we will additionally 
exclude such infinite message arrivals, to obtain our final transformation of Dedalus 
programs. 


4-5 Causality-Finiteness Transformation 

Let 7^ be a Dedalus program. As seen in the previous subsection, program (7^) 

allows an infinite number of messages to arrive at any step of a node. This does 
not happen in any real-world distributed system; indeed, no node has to process an 
infinite number of messages at any given moment. We consider this to be an addi¬ 
tional restriction that must be explicitly enforced. To this purpose, we present in 
this section the causality-finiteness transformation pt6re(7^) that extends (7^). 

We will approach this problem as follows. Suppose there are an infinite number of 
messages that arrive at some node y during its step t. Since in a network there are 
only a finite number of nodes and a node can only send a finite number of messages 
during each step (the input domain is finite), there must be at least one node x that 
sends messages to step t of y during an infinite number of steps of x. Hence there 
is no maximum value amongst the corresponding send-timestamps of x. Thus, in 
order to prevent the arrival of an infinite number of messages at step t of p, it will 
be sufficient to demand that there always is such a maximum send-timestamp for 
every sender. Below, we will implement this strategy with some concrete rules in 
pure{V). 


4-5.1 Transformation 

We define pure{'P) as pure^^{'P) extended as follows. The additional rules can be 
thought of as being relative to an addressee and a step of this addressee, represented 
by the variables y and t respectively. 

We use a fact rcvlnf(p, t) to express that node y receives an infinite number 
of messages during its step t. First, we add the following rule to purelfP) for each 
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relation chosen^ that results from the transformation of asynchronous rules in 
pure^^{'P), where x, s, y, and t are variables and w is a tuple of distinct variables 
disjoint from the previous ones with |w| the arity of relation R in schiV): 

hasSender(y, t, x, s) •<— chosen/{(x, s, y, t, w), -rcvlnf (y, t) • (11) 


This rule intuitively means that as long as addressee y has not received an infi¬ 
nite number of messages during its step t, we register the senders and their send- 
timestamps. 

Recall the auxiliary relations defined in SectionNext, we add to pure{V) the 
following rules, for which the intuition is provided below: 


isSmaller(y, t, x, s) ■<— hasSender(y, t, x, s), hasSender(y, t, x, s'), 

s < s'- 


( 12 ) 


hasMax(y, t, x) ■<— hasSender(y, t, x, s), -iisSmaller(y, t, x, s) ■ (13) 

rcvinf (y, t) •«— hasSender(y, t, x, s), -ihasMax(y, t, x) • (14) 

Rule (fT^ checks for each sender and each of its send-timestamps whether there is a 
later send-timestamp of that same sender. Rule (1131) tries to find a maximum send- 
timestamp. Finally, rule (1141) derives a rcvinf-fact if no maximum send-timestamp 
was found for at least one sender. 

We will show in Section [5.3.1l that in any stable model, the above rules make sure 
that every node receives only a finite number of messages at every step. 


4-5.2 Semantics 

The semantics of the causality-finiteness transformation is again the same as for 
the dynamic choice transformation and the causality transformation: 

Definition 4-4 

For an input distributed database instance H for V, we call any stable model of 
purefiP) on input decl{H) a causal-Bnite model of V on input H. 

We will refer to a causal-finite model also simply as model. 


5 Correctness 

In Section m we have described the computation of a distributed Datalog”' program 
by means of stable models. By using suitable rules, we have excluded some unintu¬ 
itive stable models. But at this point we are still not sure whether the remaining 
stable models really correspond to the execution of a distributed system. We fill 
that gap in this section: we show that each remaining stable model corresponds to 
an execution of the distributed Datalog”' program under an operational semantics, 
and vice versa. We call such an execution a run, and we will only be concerned 
with so-called fair runs, where each node is made active infinitely often and all sent 
messages are eventually delivered. 

We extract from each run TZ a trace, denoted trace{TV), which is a set of facts 
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that shows in detail what each node computes during each step. We will make this 
concrete in the following subsections. But we can already state our main result, as 
follows: 

Theorem 4 

Let V he a Dedalus program. For each input distributed database instance H for 

r, 

(i) for every fair run TZ oi V there is a model M oi V such that trace{TZ) = 
^lsc/t(p)LT, and 

(a) for every model M oi V there is a fair run TZ oi V such that traceiTZ) = 


□ 

First, Section [Q formalizes runs and traces of runs. The proof of item (i) of 
the theorem is described in Section E21 The proof of item (ii), which is the most 
difficult, is described in Section 15.31 We only describe the crucial reasoning steps 
of the proofs; the intricate technical details can be found in the online appendix to 
the paper. 


5.1 Operational Semantics 


In this section, we give an operational semantics for Dedalus that is in line with ear¬ 
lier formal work on declarative networking (|Deutsch et al. 20061 Navarro and Rybalchenko 2009 
Grumbach and Wang 2010 lAmeloot et al. 20111 lAbiteboul et al. 201ip . 

Let 7^ be a Dedalus program, and let H be an input distributed database instance 
for 7^, over a network Af. The essence of the operational semantics is as follows. 

Every node of Af runs program V, and a node has access only to its own local state 
and any received messages. The nodes are made active one by one in some arbitrary 
order, and this continues an infinite number of times. During each active moment 
of a node x, called a local (computation) step, node x receives message facts and 
applies its deductive, inductive and asynchronous rules. Concretely, the deductive 
rules, forming a stratified Datalog^ subprogram, are applied to the incoming mes¬ 
sages and the previous state of x. Next, the inductive rules are applied to the output 
of the deductive subprogram, and these allow x to store facts in its memory: these 
facts become visible in the next local step of x. Finally, the asynchronous rules are 
also applied to the output of the deductive subprogram, and these allow x to send 
facts to the other nodes or to itself. These facts become visible at the addressee af¬ 
ter some arbitrary delay, which represents asynchronous communication, as occurs 
for instance on the Internet. We assume that all messages are eventually delivered 
(and are thus never lost). We will refer to local steps simply as “steps”. 

We make the above sketch more concrete in the next subsections. 
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5.1.1 Configurations 

Let V, H, and TV be as above. A configuration describes the network at a certain 
point in its evolution. Formally, a configuration of P on i/ is a pair p = (st, bf) 
where 

• is a function mapping each node of M to an instance over sch{V); and, 

• 6/ is a function mapping each node of A/" to a set of pairs of the form (i,/), 
where i G N and / is a fact over idh{V). 

We call st and bf the state and (message) buffer respectively. The state says for 
each node what facts it has stored in its memory, and the message buffer bf says 
for each node what messages have been sent to it but that are not yet received. The 
reason for having numbers *, called send-tags, attached to facts in the image of bf 
is merely a technical convenience: these numbers help separate multiple instances 
of the same fact when it is sent at different moments (to the same addressee), and 
these send-tags will not be visible to the Dedalus program. For example, if the 
buffer of a node x simultaneously contains pairs (3,/) and (7,/), this means that 
/ was sent to x during the operational network transitions with indices 3 and 7, 
and that both particular instances of / are not yet delivered to x. This will become 
more concrete in Section [5.1.31 

The start configuration ofV on input H, denoted startifP, H), is the configuration 
p = [st, bf) defined by st{x) = H{x) and bf{x) = 0 for each x G ff. In words: for 
every node, the state is initialized with its local input fragment in H, and there are 
no sent messages. 


5.1.2 Subprograms 

We look at the operations that are executed locally during each step of a node. We 
have mentioned that the three types of Dedalus rules each have their own purpose 
in the operational semantics. For this reason, we split the program V into three 
subprograms, that contain respectively the deductive, inductive and asynchronous 
rules. In Section 15.1.31 we describe how these subprograms are used in the opera¬ 
tional semantics. 

• First, we define deduc-p to be the Datalog^ program consisting of precisely 
all deductive rules of V. 

• Secondly, we define inducp to be the Datalog^ program consisting of all 
inductive rules of V after the annotation in their head is removed. 

• Thirdly, we define asynop to be the Datalog”' program consisting of precisely 
all rules 

r(y,u) ^B{u,y} 

where 


r(u) |y^B{u,y} 


is an asynchronous rule of V. So, we basically put the variable y as the first 
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component in the (extended) head atom. The intuition for the generated head 
facts is that the first component will represent the addressee. 

Note that the programs deduc-p, inducp and async-p are just Datalog^ programs 
over the schema sch{V), or a subschema thereof. Moreover, deducp is syntacti¬ 
cally stratifiable because the deductive rules in every Dedalus program must be 
syntactically stratifiable. It is possible however that inducp and asyncp, are not 
syntactically stratifiable. Now we define the semantics of each of these three sub¬ 
programs. 

Let / be a database instance over sch{V). During each step of a node, the intuition 
of the deductive rules is that they “complete” the available facts by adding all new 
facts that can be logically derived from them. This calls for a fixpoint semantics, and 
for this reason, we define the output of deducp on input I, denoted as deducp{I), 
to be given by the stratified semantics. This implies I C deducp{I). Importantly, 
I is allowed to contain facts over idb{'P), and the intuition is that these facts were 
derived during a previous step (by inductive rules) or received as messages (as sent 
by asynchronous rules). This will become more explicit in Section [5.1.31 

During each step of a node, the intuition behind the inductive rules is that they 
store facts in the memory of the node, and these stored facts will become visible 
during the next step. There is no notion of a fixpoint here because facts that will 
become visible in the next step are not available in the current step to derive more 
facts. For this reason, we define the output of inducp on input I to be the set of 
facts derived by the rules of inducp for all possible satisfying valuations in I, in 
just one derivation step. This output is denoted as inducp{I). 

During each step of a node, the intuition behind the asynchronous rules is that 
they generate message facts that are to be sent around the network. The output for 
asyncp, on input I is defined in the same way as for inducp, except that we now 
use the rules of asyncp instead of inducp. This output is denoted as asyncp{I). 
The intuition for not requiring a fixpoint for asyncp is that a message fact will 
arrive at another node, or at a later step of the sender node, and can therefore not 
be read during sending. 

Regarding data complexity (|Vardi 198211 . for each subprogram the output can be 
computed in ptime with respect to the size of its input. 


5.1.3 Transitions and Runs 

Transitions formalize how to go from one configuration to another. Here we use the 
subprograms of V. Transitions are chained to form a run. Regarding notation, for 
a set m of pairs of the form (*,/), we define untag{m) = {/ | 3* e N : {i,f) € m}. 

A transition with send-tag i S N is a five-tuple {pa, x, m, i, pb) such that pa = 
{sta,bf^) and pb = {stb,bfij) are configurations of V on input H, x € A/", m C 
bfai^)> and, letting 

I = sta{x) U untag{m), 

D = deducp {!), 

R{d)) I R{y, a) € asyncp(D)} for each y G J\f, 
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for X and each y € M \ {x} we have 

stbix) = H{x)U inducv{D), stb{y) = sta{y), 

bfbix) = {bfaix) \m)U bf^{y) = bfjy) U S^^y- 

We call Pa and pb respectively the source and target configuration, and say this 
transition is of the active node x. Intuitively, the transition expresses that x reads 
its old state together with the received facts in untag{m) (thus without the tags), 
and describes the subsequent computation: subprogram deduc-p completes the avail¬ 
able information; the new state of x consists of the input facts of x united with all 
facts derived by subprogram inducp; and, subprogram async-p generates messages, 
whose first component indicates the addressee!^ Note, inducp and asynop do not 
influence each other, and can be thought of as being executed in parallel. Also, for 
each y G Af, the set S'^^y contains all messages addressed to y, with send-tag i 
attached. Messages with an addressee outside the network are ignored. This way of 
defining local computation closely corresponds to that of the language Webdamlog 
(|Abiteboul et al. 201 ip . If m = 0, we call the transition a heartbeat. 

A run TZ of V on input H is an infinite sequence of transitions, such that (i) the 
source configuration of the first transition is start{'P, H), (ii) the target configura¬ 
tion of each transition is the source configuration of the next transition, and (in) 
the transition at ordinal i of the sequence uses send-tag i. Ordinals start at 0 for 
technical convenience. The resulting transition system is highly non-deterministic 
because in each transition we can choose the active node and also what messages 
to deliver; the latter choice is represented by the set m from above. 

Remark 2 {Parallel transitions) 

Transitions as defined here can simulate parallel transitions in which multiple nodes 
are active at the same time and receive messages from their respective buffers. 
Indeed, if we would have multiple nodes active during a parallel transition, they 
would receive messages from their buffers in isolation, and this can be represented 
by a chain of transitions in which these nodes receive one after the other precisely 
the messages that they received in the parallel transition. For this reason, we limit 
our attention to transitions with single active nodes. 


5.1.4 Fairness and Arrival Function 

In the literature on process models it is customary to require certain fairness con¬ 
ditions on the execution of a system, for instance to exclude some extreme situ¬ 
ations that are expected not to happen in reality (IFrancez 19861 [Apt et al. 1988| 
[Lamport 2000bD . 

Let 7^ be a run of V on H. For every transition i G N, let pi = {sti,bfj_) denote 
the source configuration of transition i. Now, TZ is called fair if: 

• every node is the active node in an infinite number of transitions of TZ; and, 


Note, input facts are preserved by the transition. This aligns with the design of Dedalus, where 
we do not allow facts to be retracted; only negation as failure is permitted. 
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• for every transition « G N, for every y G A/", for every pair (j,/) G bf^{y), 
there is a transition k with i < k in which {j,f) is delivered to y. 


Intuitively, the fairness conditions disallow starvation: every node does an infinite 
number of local computation steps and every sent message is eventually delivered. 
We consider only fair runs in this paper. Note, a fair run exists for every input 
because heartbeats remain possible even when there are no messages to deliver. 

In the second condition about message deliveries, it is possible that k = i, and 
in that case (j ,/) is delivered in the transition immediately following configuration 
Pi- Because the pair (j,/) can be in the message buffer of multiple nodes, this k is 
not unique for the pair (j,/) by itself. But, when we also consider the addressee y, 
it follows from the operational semantics that this k is unique for the triple (j, y,f). 

This reasoning gives rise to a function a-jz, called the arrival function for TZ, that 
is defined as follows: for every transition z, for every node y, for every message 
/ sent to addressee y during z, the function an maps {i,y,f) to the transition 
ordinal k in which (z,/) is delivered to y. We always have a-R,(z, y,f) > i. Indeed, 
the delivery of a message can only happen after it was sent. So, when the delivery 
of one message causes another to be sent, then the second one is delivered in a 
later transition. This is related to the topic of causality that we have introduced in 
Section m This topic will also be further discussed in Sections 15.21 and 15.31 


5.1.5 Timestamps and Trace 

For each transition z of a run, we define the timestamp of the active node x during 
z to be the number of transitions of x that come strictly before z. This can be 
thought of as the local (zero-based) clock of x during i, and is denoted locn{i). For 
example, suppose we have the following sequence of active nodes: j;, y, y, x, x, etc. 
If we would write the timestamps next to the nodes, we get this sequence: (2:,0), 
(2/,0), (2/,l), ix,l), (x,2), etc. 

As a counterpart to function locni:), each (x, s) € J\f xN we define globj^{x, s) 
to be the transition ordinal z of 7^ such that x is the active node in transition z 
and locn{i) = s. In words: we find the transition in which node x does its local 
computation step with timestamp s. It follows from the definition of locn{') that 
glob.j^{x, s) is uniquely defined. 

Let 7Z he a run of V on input H. Recall that H is over network J\f. We now 
capture the computed data during 7?. as a set of facts that we call the trace. For 
each transition z G N, let Xi denote the active node, and let Di denote the output 
of subprogram deduc-p during z. The operational semantics implies that Di consists 
of (i) the input edb-iacts at Xi ; (ii) the inductively derived facts during the previous 
step of Xi (if locn(i) > 1); (in) the messages delivered during transition z; and, (iv) 
all facts deductively derived from the previous ones. So, intuitively, Di contains all 
local facts over sch{P) that Xi has during transition z. 
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Recall the notations of Section 321 Now, the trace of TZ is the following instance 
over sch{VY‘^'. 

trace{TZ) = (J 

ieN 

The trace shows in detail what happens in the run, in terms of what facts are 
available on the nodes during which of their steps. 


5.2 Run to Model 

Let 7^ be a Dedalus program and let H be an input distributed database instance 
for 7^, over a network A/". Let 7?. be a fair run of V on input H. We show there is 
a model M oi V on H such that traceiJZ) = The main idea is that we 

translate the transitions of TZ to facts over the schema of pure{V). 

First, in Section [5.2.1l we extract the happens-before relation on nodes and times¬ 
tamps from TZ. Next, in Section [5.2.21 we define the desired model M. 


5.2.1 Happens-before Relation 

In the operational semantics, we order the actions of the nodes on a fine-grained 
global time axis, by ordering the transitions in the runs. By contrast, we now define 
a partial order on W x N, saying which steps of nodes must have come before 
which steps of (other) nodes, without referring to the global ordering imposed by 
transitions. 

First, we extract from TZ the message sending and receiving events. Formally, we 
define mesglJZ) to be the set of all tuples (x, s, y, t,f), with / a fact, and denoting 
i = globj^{x, s) and j = globq^{y, f), such that anii, Vif) = 7 , i-e., node x during 
step s sends message f to y that arrives at the step t of y, with possibly x = y. In 
words: mesg{TZ) contains the direct relationships between local steps of nodes that 
arise through message sending. 

From TZ we can now extract the happens-before relation ( [Attiya and Welch 2004D 
on the set W x N, which is defined as the smallest relation -< 7 j on Af x N that satisfies 
the following three conditions: 

• for each {x, s) S A/” x N, we have {x, s) -<ti {x, s + 1); 

• {x, s) -<Ti (y, t) whenever for some fact / we have (x, s, y, t,f) G mesg{TZ); 

• -<Ti is transitive, i.e., {x, s) -<ti {z, u) -<ti {y, t) implies {x, s) -<ti {y, t). 

We call these three cases respectively local edges, message edges and transitive 
edges. Naturally, the first two cases express a direct relationship, whereas the third 
case is more indirect. 

Note, if two runs on the same input have the same happens-before relation, they 
do not necessarily have the same trace. This is because relation -<ti does not talk 
about the specific messages that arrive at the nodes. 

We will now show that ^ 7 ^ is a strict partial order. Consider first the following 
property: 








Putting Logic-Based Distributed Systems on Stable Grounds 


29 


Lemma 1 

For every run TZ, for each (a;, s) G Af x N and (y, t) e A/" x N, if (a;, s) -Xn (y, t) 
then glob^{x, s) < glob^{y, t). 

Proof 

We can consider a path from (x, s) to (y, t) in ^ 7 ^. We can substitute each transitive 
edge in this path with a subpath of non-transitive edges. This results in a path of 
only non-transitive edges: 

(Xi, Si) (X2, S 2 ) -in ■■■ <n {Xn, Sn), 

where n >2, (xi, si) = (x, s) and (x„, s„) = (y, t). Because there are no transitive 
edges, for each i G {1,... ,n — 1}, the edge (xi, Si) -<tz (x^+i, s^+i) falls into one of 
the following two cases: 

• Xi = Xi+i and Si+i = -I- 1 (local edge); 

• Xi during step Si sends a message to Xi+i that arrives in step Si+i of Xi+i (message 
edge). 

In the first case, it follows from the definition of Iocti{-) that 

glob-f^{xi, Sj) < g/o 67 ^(xj+i, Sj+i)- 

For the second case, by our operational semantics, every message is always delivered 
in a later transition than the one in which it was sent. So, again we have 

globT^{x^, Sj) < glob-,;,{x^+l,s^+l)■ 

Since this property holds for all the above edges, by transitivity we thus have 
glob^{x, s) < glob-j^{y, t), as desired. □ 

Corollary 1 

For every run TZ, the relation -< 7 ^ is a strict partial order on A/” x N. 

Proof 

From its definition, we immediately have that -< 7 ^ is transitive. Secondly, irreflex- 
ivity for -<n follows from Lemma [TJ □ 


5.2.2 Definition of M 

Now we define the model M: 

M = decl{H) U u trans^^, 

iGN 

where trans^^ for each i G N is an instance over the schema oipure{V) that describes 
transition i of TeEl Let i G N. We define trans^ as 

trans^^ = caus^ U fin^ U duc^ U snd^, 


Note, M must include the input decl{H) by definition of stable model (see Section l3.2.3ll . 
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where each of these sets focuses on different aspects of transition i, and they are de¬ 
fined next. Regarding notation, let -<-ji be the happens-before relation as defined in 
the preceding subsection; let locni'), and an be as defined in Section I^TTl 

let Xi denote the active node of transition i; and, let us abbreviate Si = locn{i)- 

Causality We define caus^ to consist of all facts bef ore(3;, s, Si) for which 
(x, s) G J\f xN and (a;, s) -<n {xi, Si). Intuitively, caus^^ represents the joint result 
of rules 0, m, and cni), corresponding to respectively the local edges, transitive 
edges, and message edges of -<n- 

Finite Messages We define fin^^ to represent that only a hnite number of messages 
are delivered in transition i, thus at step Si of node Xi. We proceed as follows. 
First, let senders^ be the set of all pairs (a;,s) S A/” x N such that, denoting 
j = globi^(x,s), for some fact / we have anij,Xi,f) = i, i.e., the node x during 
its step s sends a message to Xi with arrival timestamp Si. It follows from the 

operational semantics that for each {x,s) G senders.^ we have glob-n^x, s) < i. 
\i] 

Now, we define fin^ to consist of the following facts: 

• the fact hasSender(a;i, Si, a;, s) for each (x,s) G senders^, representing the 
result of rule TO; 

• the fact isSmaller(a;i, Si, x, s) for each (a;, s) G senders^ and (x, s') G senders^^ 
with s < s', representing the result of rule (fT^ : and, 

• the fact hasMax(a;i, Si, x) for each sender-node x mentioned in senders^, rep¬ 
resenting the result of rule (fT!?)l . 

We know that in TZ only a finite number of messages arrive at step Si of Xi. Hence, 
we add no fact rcvinf (ai^, Si) to hn^^. This also explains why the specification of the 
hasMax-facts above is relatively simple: there is always a maximum send-timestamp 
for each sender-node. 

Deductive Let Di denote the output of subprogram deduc-p during transition i. We 
define duc^ to consist of the facts . Intuitively, duc^ represents all facts 

over sch(V) that are available at Xi during step Si, i.e., the joint result of rules in 
pure{V) of the form ([T]), ([2]) and ([HI). 

Sending We define sndj^ to represent the sending of messages during transition 
i. We proceed as follows. Let mesg^^ denote the output of subprogram asyncp 
during transition i, restricted to the facts having their addressee-component in the 
network. Now, we define snd^^ to consist of the following facts: 

• all facts cand/{(a;i, s^, j/, t, d) for which F(y, d) G mesg^ and t gN such that 
{y, t) ^n {xi, Si), representing the result of rule 0; 

• all facts chosen^(xi. Si, 2 /, t, a) for which -R(y, a) G mesg^^ and t = locn(j) 
with j = an(i, y, R{d)), representing the result of rule (|1|); and, 

• all facts otherii^Xi, Si, y, u, a) for which -R(y, a) G mesg^^, m € N, (y, u) -j^n 
(xi,Si) and u ^ locn{j) with j = an{i, y, R{d)), representing the result of 
rule 0. 
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Conclusion We can show that M is indeed a model of V on input H; this proof 
can be found in [Appendix A| of the online appendix to the paper. By construction 
of M, we have, as desired: 

Mlschiv)-^-^ = IJ duc^' = y = tracein)- 

ieN iGN 


5.3 Model to Run 

Let 7^ be a Dedalus program and let H be an input distributed database instance 
for V, over some network Af. Let M be a model of V on input H. We show there 
is a fair run 7?. of P on input H such that trace{TZ) = 

The direction shown in Section r5.2l is perhaps the most intuitive direction because 
we only have to show that a concrete set of facts is actually a stable model. In this 
section we do not yet understand what M can contain. So, a first important step 
is to show that M has some desirable properties which allow us to construct a run 
from it. 

Using the notation from Section 13.2.31 let G abbreviate the ground program 
groundfji{C, I) where C = pure{V) and I = decl{H). By definition of M as a 
stable model, we have M = G{I). 

First, it is important to know that in M we find location specifiers where we 
expect location specifiers and we find timestamps where we expect timestamps. 
Formally, we call M well-formed if: 

• for each R{x, s, a) G Af we have x G Af and s G N; 

• for each bef ore(x, s, y, t) G M, we have x,y G Af and s, t G N; 

• for each fact candfl;( 2 ;, s, y, t, a), chosenfl;(a:, s, y, t, d) and other/{(a;, s, y, t, d) 
in M, we have x,y G Af and s, t G N; 

• for each fact hasSender(a;, s, j/, t), isSmaller( 2 ;, s, y, t), hasMax(3;, s, y) and 
rcvinf (a:, s) in M, we have x,y G Af and s, t G N. 

It can be shown by induction on the fixpoint computation of G that M is always 
well-formed. We omit the details. 

The rest of this subsection is organized as follows. In Section Ih. 3. 11 we extract a 
happens-before relation -<m from M. Next, in Section [5.3.21 we construct a run TZ: 
we use -<M to establish a total order on A/" x N that tells us which are the active 
nodes in the transitions of TZ. Finally, we show in Section 15.3.31 that TZ is fair. 


5.3.1 Partial Order 

We define the following relation on A/" x N: for each (x,s) G Af x N and 
(y, t) G Af X N, we write (x, s) -<m {y, t) if and only if bef ore(a;, s, j/, t) G M. The 
rest of this section is dedicated to showing that -<m Is a well-founded strict partial 
order on A/” x N. 

Let G abbreviate the ground program groundj^{C, I) where C = pureifP) and 
I = decl{H). Regarding terminology, an edge {x, s) -<m {y, t) is called a local edge, 
a message edge or a transitive edge if the fact bef ore(3;, s, y,t) G M can be derived 
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by a ground rule in G of respectively the form ([71), the form (fTUl) . or the form ((51)1^ 
It is possible that an edge is of two or even three types at the same time. 

Consider the following claim: 

Claim 5 

Relation is a strict partial order on A/" x N. 

Proof 

We show that is transitive and irreflexive. 

Transitive First, we show that -<m is transitive. Suppose we have {x, s) -<m (z, u) 
and (z, u) -<m [y, t). We have to show that {x, s) -<m (y, t). By definition of -<m, 
we have bef ore(a;, s, z, m) G M and hefoTe{z,u,y,t) G M. Because rule ([5]) is 
positive, we have the following ground rule in G: 

bef ore(a;, s, y, t) G- bef ore(x, s, z, u), bef ore( 2 , u, y, t)- 

Because M is a stable model and the body of the previous ground rule is in M, we 
obtain before(x, s, y, t) G M. Hence, {x, s) -<m {y, t), as desired. 

Irreflexive Because an edge (x, s) -<m (x, s) for any {x,s) G A/” x N would form a 
cycle of length one, it is sufficient to show that there are no cycles in -<m at all. 
This gives us irreflexivity, as desired. 

First, let denote the restriction of -<m to the edges that are local or message 
edges. Note that this definition allows some edges in to also be transitive. 
The edges that are missing from with respect to -<m are only derivable by 
ground rules of the form ([5]); we call these the pure transitive edges. We start by 
showing that contains no cycles. We show this with a proof by contradiction. 
So, suppose that there is a cycle in A/" x N through the edges of 

{xi, Si) -<M {X2, S 2 ) -<M ■ ■ ■ -<M {Xn, Sn) 

with n > 2 and {xi, si) = {x„, s„). We have before(a;i, Si, 0 :^+ 1 , Sj+i) G M for each 
i G {l,...,n — 1}. Based on these before-facts, ground rules in G of the form ([H|) 
will have derived bef ore(a;i, Si, Xj, Sj) G M for each i,j G {1,..., n}. 

If each edge on the above cycle would be only local, then for each i,j G {1,..., n} 
with i < j we have Xi = Xj and Si < Sj, and hence si 7 ^ s„, which is false. So, there 
has to be some k G {1,..., n — 1} such that {xk, Sk) -<m (xk+i, Sk+i) is a message 
edge, derived by a ground rule of the form cni): 

bef ore(a;A,, Sk, Xk+i, Sfc+i) ^ chosen_R(a;fe, Sk,Xk+i, Sfc+i, a)- 

Therefore chosenfl(a;fc, sa,, xa;+i, Sfc+i, a) G M. This chosen^-fact must be derived 
by a ground rule of the form (jd]) in G, which implies that 

candfl(a;fc, Sk,Xk+i, Sk+i, a) G M- 

This candfl-fact must in turn be derived by a ground rule tp of the form ([^. 

The body of such a ground rule has to be in M. 
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Because rules of the form @ in pure{V) contain a negative before-atom in their 
body, the presence of '0 in G requires that bef ore(a;fc+i, Sfc+i, Xk, Sk) ^ M. But that 
is a contradiction, because bef ore(a;i, Si, Xj, Sj) € M for each i,j S {1,..., n} (see 
above). 

Now we show there are no cycles in the entire relation -<m- Since M = G{decl{H)), 
we have M = IJiGNwhere Mq = decl{H) and Mi = T(Mi_i) for each i > 1 
where T is the immediate consequence operator of G. By induction on i, we show 
that an edge before(a;, s, y, t) £ Mi either is a local or message edge, or it can be 
replaced by a path of local or message edges in Mi. Then any cycle in would 
imply there is a cycle in which is impossible. So, -<m can not contain cycles. 
Now, this induction property is satisfied for the base case because Mq does not 
contain before-facts. For the induction hypothesis, assume the property holds for 
Mi_i, where i > 1. For the inductive step, let bef ore(a:, s, ?/, t) £ Mi \ Mi_i. If 
this fact is derived by a ground rule of the form © or m then the property is 
satisfied. Now suppose the fact is derived by a ground rule of the form ([5]) : 

bef ore(a;, s, y, t) £- bef ore(x, s, z, u), bef ore( 2 , u, y, t)- 

Both body facts are in Mi_i, implying Mi_i contains a path of local or message 
edges from {x, s) to (z, u) and from (z, u) to {y, t). Hence, using Mi_i C Mi, the 
edge bef ore(r, s, y, t) £ Mi can be replaced by a path of local or message edges in 

M,. □ 

In Section |T3] we have added extra rules to pure{V) to enforce that every node 
only receives a finite number of messages during each step. We now verify that this 
works correctly: 

Glaim 6 

For each {y,t) € W x N there are only a finite number of pairs {x,s) S A/" x N such 
that {x, s) -<M {y, t) is a message edge. 

Proof 

We start by noting that M does not contain the fact Tcvlnf{y, t). Indeed, in or¬ 
der to derive this fact, we need a ground rule in G of the form p4ll . which has a 
body fact of the form hasSender(j/, t, x, s). Such hasSender-facts must be gener¬ 
ated by ground rules in G of the form CD- The rule CD negatively depends on 
relation rcvinf. Thus, specifically, if we want a ground rule in G that can derive 
hasSender(y, t, X, s), we should require the absence of rcvinf (y, t) from M. So 
rcvlnf( 2 /, t) £ M requires rcvlnf( 2 /, t) ^ M, which is impossible. 

The rest of the proof works towards a contradiction. So, suppose that [y, t) has an 
infinite number of incoming message edges. Because there are only a finite number 
of nodes in A/”, there has to be a node x that has an infinite number of timestamps 
s such that bef ore(a;, s, y,t) £ M is a. message edge. Since it is a message edge, 
such a fact bef ore(a;, s, y, t) can be generated by a ground rule in G of the form 
CD, which implies that there is a relation R in idb{V) and a tuple a such that 
chosen ft {x,s,y,t,d) £ M. Because rcvlnf{y,t) ^ M (see above), for each of 
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these chosen/{-facts, there is a ground rule of the form CD in M that derives 
hasSender( 2 /, t, x, s) € M. 

Rule (fH)) has a negative hasMax-atom in its body. If we can show that hasMax(7/, t, x) ^ 
M, then there will be a ground rule in G of the form (fHl) . where hasSender( 2 /, t, x, s) € 
M: 


rcvinf (j/, t) ■<— hasSender( 2 /, t, x, s)- 

This then causes rcvinf (j/, t) € M, giving the desired contradiction. 

Also towards a proof by contradiction, suppose that hasMax(j/, t, x) € M. This 
means that there is a ground rule ip in G oi the form (fTlTl) : 

hasMax(j/, t, x) <r- hasSender(7/, t, x, s)- 

Because the rule (1131) contains a negative isSmaller-atom in the body, and be¬ 
cause Ip ^ G, we know that isSmaller(7/, t, 2 ;, s) ^ M. But because there are 
infinitely many facts of the form hasSender(7/, t, x, s') € M, there is at least one 
fact hasSender( 2 /, t, x, s') G M with s < s'. Moreover, the rule (fT^ is positive, and 
therefore the following ground rule is always in G: 

isSmaller( 2 /, t, x, s) <— hasSender(j/, t, x, s), hasSender( 2 /, t, x, s'), s < s'- 

Since the body of this ground rule is in M, the rule derives isSmaller(j/, t, x, s) G 
M, which gives the desired contradiction. □ 

An ordering ^ on a set A is called well-founded if for each a G A, there are only 
a finite number of elements b G A such that b ^ a. We now use Claim [5] to show: 

Glaim 7 

Relation -<m on A/" x N is well-founded. 

Proof 

Let {x, s) G Af X N. We have to show that there are only a finite number of pairs 
{y,t) G Af xN such that {y, t) -<m {x, s). Technically, we can limit our attention to 
paths in -<M consisting of local edges and message edges, because if we can show 
that there are only a finite number of predecessors of {x, s) on such paths, then 
there are only a finite number of predecessors when we include the transitive edges 
as well. First we show that every pair {y,t) € TV x N has only a finite number of 
incoming local and message edges. If t > 0, we can immediately see that [y, t) has 
precisely one incoming local edge, as created by a ground rule of the form o, and 
if t = 0 then {y, t) has no incoming local edge. Also, ClaimEltells us that (y, t) has 
only a finite number of incoming message edges. So, the number of incoming local 
and message edges in {y,t) is finite. 

Let {y,t) e TV X N be a pair such that {y,t) -<m (x, s) is a local edge or a message 
edge. Starting in (x, s), we can follow this edge backwards so that we reach (y, t). If 
(y, t) itself has incoming local or message edges, from (y, t) we can again follow an 
edge backwards. This way we can incrementally construct backward paths starting 
from (x, s). Because at each pair ofAfxN there are only a finite number of incoming 
local or message edges (shown above), if (x, s) would have an infinite number of 
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predecessors, we must be able to construct a backward path of infinite length. We 
now show that the existence of such an infinite path leads to a contradiction. So, 
suppose that there is a backward path of infinite length. Because there are only 
a finite number of nodes in the network A/”, there must be a node y that occurs 
infinitely often on this path. We will now show that, as we progress further along 
the backward path, we must see the local timestamps of y strictly decrease. Hence, 
we must eventually reach timestamp 0 oi y, after which we cannot decrement the 
timestamps of y anymore, and thus it is impossible that y occurs infinitely often 
along the path. Suppose that the timestamps of y do not strictly decrease. There 
are two cases. First, if the same pair {y, t) would occur twice on the path, we would 
have a cycle in -<m, which is not possible by Claim O Secondly, suppose that there 
are two timestamps t and t' of y such that t < t' and [y, t) occurs before {y, t') on 
the backward path, meaning that (y, t) lies closer to {x, s). Because the edges were 
followed in reverse, we have 

(i/, t') (y, t)- 

But since t < t', by means of local edges, we always have 
{y, t) {y,t + 1) (y, t')- 

So, there would be a cycle between {y, t') and [y, t). But that is again impossible 
by Claim El □ 


5.3.2 Construction of Run 

Let -< M be the well-founded strict partial order on A/” x N as defined in the preceding 
subsection. The relation -<m has the intuition of a happens-before relation of a run 
ISection I5.2.1|) . but the novelty is that it comes from a purely declarative model 
M. We will now use -<m to construct a run TZ such that trace('R.) = M|sc/t(p)LT. 

Total order It is well-known that a well-founded strict partial order can be extended 
to a well-founded strict total order. So, let <m be a well-founded strict total order 
on A/” X N that extends -<m, he., for each (x, s) € A/" x N and {y, t) G A/" x N, if 
(a;, s) -<M {y, t) then (x, s) <m (y, t), but the reverse does not have to hold. 

Ordering the set A/" x N according to <m gives us a sequence of pairs that will 
form the transitions in the constructed run TZ. Concretely, we obtain a sequence of 
nodes by taking the node-component from each pair. This will form our sequence 
of active nodes. Similarly, by taking the timestamp-component from each pair of 
A/” X N, we obtain a sequence of timestamps. These are the local clocks of the active 
nodes during their transitions. 

We introduce some extra notations to help us reason about the ordering of time 
that is implied by <m- For each (a;, s) £ M x N, let glob]^{x, s) G N denote the 
ordinal of (x, s) as implied by <m, which is well-defined because <m is well-founded. 
For technical convenience, we let ordinals start at 0. Note, glob;^{-) is an injective 
function. For any i G N, we define {xi, Si) to be the unique pair in A/” x N such that 
globi^{xi, Si) = i. 
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As a counterpart to function globj^{-), for each i S N and each x € Af, let 
locMih x) denote the size of the set 

{s e N I globj^f{x, s) < *}• 

Intuitively, if i is regarded to be the ordinal of a transition in a run, locM{h is 
the number of local steps of x that came before transition *, i.e., the number of 
transitions before i in which x was the active node, li x = Xi (the active node) 
then locMii, x) is effectively the timestamp of x during transition j, and ii x ^ Xi 
then locM{i,x) is the next timestamp of x that still has to come after transition 
i. Note, the functions globj^{-) and Iocm{-) closely resemble the functions glob-j^{-) 
and locTi{-) of Section [5. 1.51 

Configurations We will now define the desired run 7?. of 7^ on H. First we define an 
infinite sequence of configurations po, Pl^ P 2 , etc. In a second step we will connect 
each pair of subsequent configurations by a transition. Recall from Section 15.1.11 
that a configuration describes for each node what facts it has stored locally (state), 
and also what messages have been sent to this node but that are not yet received 
(message buffer). The facts that are stored on a node are either input edb-iacts, or 
facts derived by inductive rules in a previous step of the node. The first kind of facts 
can be easily obtained from M by keeping only the facts over schema edb{V)^'^, 
which gives a subset of ded{H). 

For the second kind of state facts, we look at the inductively derived facts in 
M. Rules in pure{V) that represent inductive rules of V are recognizable as rules 
of the form m- they have a head atom over schiV)^"^ and they have a (positive) 
tsucc-atom in their body. No other kind of rule in pure{'P) has this form. Hence, the 
ground rules in G that are based on rules of the form ([21) are also easily recognizable, 
and we will call these inductive ground rules. A ground rule ip € G is called active 
on M if poSjj, C M, which implies headtp G M because M is stable. Let 
denote all head atoms of inductive ground rules in G that are active on M. Note 
that C M. Regarding notation, for an instance I over sch{V)^'^, we write 

to denote the set {R(a) | da;, s : R{x, s, a) € /}, and we write I\^’^ to denote the 
set {R{y, t,d) G I \ y = X, t = s}. 

Now, for each i S N, for each node x G A/", denoting s = locM^i, x), in configura¬ 
tion Pi = (sti,bfi), the state sti{x) is defined as 

We remove the location specifier and timestamp because we have to obtain facts 
over the schema of 7^, not over the schema of pure{'P). 

Now we define the message buffers in the configurations. Recall that the message 
buffer of a node always contains pairs of the form (j, /), where j € N is the transition 
in which fact / was sent. For each i € N, for each node x G JV, in configuration 
Pi = {sti,bfi), the message buffer bfi{x) is defined as 

{{globMiy, t), R{d)) I 3u : chosen_R(2/, t, x, u, d) G M, 
globMiy, t) <i < glob^ix, «)}• 






Putting Logic-Based Distributed Systems on Stable Grounds 


37 


Note the use of addressee x in this definition. The definition of hf^{x) reflects the 
operational semantics, in that the messages in the buffer of node x must be sent in 
a previous transition, as expressed by the constraint glob}^{y, t) < i. Moreover, the 
constraint i < globj^{x, u) says that bfi(x) contains only messages that will be de¬ 
livered in transitions of x that come after configuration pi. Possibly i = globj^{x, u), 
and in that case the message will be delivered in the transition immediately after 
configuration pi, which is transition i (see also below). 

Transitions So far we have obtained a sequence of conhgurations po, pi, p 2 , etc. 
Now we define a sequence of tuples, one tuple per ordinal z S N, that represents the 
transition i. Let z € N. Recall from above that {xi, Si) is the unique pair in A/" x N 
such that globj^{xi, Si) = i. The tuple Ti is defined as (pi, Xi, mi, i, Pi+i), where 

mi = {{globMiy, t), R{d)) \ chosen_R(?/, t, z, u, d) G M, glob^iz, u) = i}- 

Intuitively, mi selects all messages that arrive in transition i. And since glob]^{z, u) = 
i implies z = Xi and u = Si, we thus select all messages destined for step Si of node 

Xi. 


Trace We can show that sequence TZ is indeed a legal run of V on input H such 
that trace{TZ) = this proof can be found in [Appendix B| of the online 

appendix to the paper. In the following subsection we show that TZ is also fair. 


5.3.3 Fair Run 

Let TZ be the run as constructed in the previous subsection. We now show that 
TZ is fair. For each transition index i G N, let pi = {sti,bfi) denote the source 
configuration of transition i. Recall from Section [h.1.41 that we have to check two 
fairness conditions: 

1. every node is the active node in an infinite number of transitions; and, 

2. for every transition z S N, for every y G Af, for every pair (j,/) G bfi{y), 
there is a transition k with z < fc in which (j,/) is delivered to y. 

We show that TZ satisfies the first fairness condition. Let a: G W be a node, and let 
s G N be a timestamp of x. Consider transition z = globj^f^x, s). This transition 
has active node Xi = x. We can find such a transition with active node x for every 
timestamp s G N of a;, and these transitions are all unique because function globf^^{-) 
is injective. So, there are an infinite number of transitions in TZ with active node x. 

We show that TZ satisfies the second fairness condition. Let z G N, z/ G M, and 
Oi/) S bfi{y). Denote / = R{d). From its construction, the pair (j,/) G bfi{y) 
implies there are values x G Af, s G N and t gN such that choseni{(x, s, y, t, a) G 
M and j = globj^{x, s) < i < globi^f{y, t). Denote k = globj^f{y, t). Hence, i < k 
and (j,/) G zTZfc by dehnition of m^. Thus (j,/) is delivered to Xk = y in transition 
k. 
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6 Discussion 

We have represented distributed programs in Datalog under the stable model se¬ 
mantics. Moreover, we have shown that the stable models represent the desired 
behavior of the distributed program, as found in a realistic operational semantics. 

We now discuss some points for future work. 

As mentioned, many Datalog-inspired languages have been proposed to imple¬ 
ment distributed applications (|Loo et al. 20091[Navarro and Rybalchenko 2009[[Grumbach and Wang 2010} 
lAbiteboul et al. 201 1|) . and they contain several powerful features such as aggrega¬ 
tion and non-determinism (choice). Our current framework already represents the 
essential features that all these languages possess: reasoning about distributed state 
and representing message sending. Nonetheless, we have probably not yet explored 
the full power of stable models. We therefore expect that this work can be extended 
to languages that incorporate more powerful language constructs such as the ones 
mentioned above. It might also be possible to remove the syntactic stratification 
condition that we have used for the deductive rules. 

More related to multi-agent systems (|Leite et al. 20021 |Nigam and Leite 2006[ 

ILeite and Soares 2007|) . it might be interesting to allow logic programs used in 
declarative networking to dynamically modify their rules. The question would be 
how (and if) this can be represented in our model-based semantics. 

The effect of variants of the model-based semantics can studied. For example, 
messages can be sent into the past when the causality rules are removed. Then, one 
might ask which (classes of) programs still work “correctly” under such a non-causal 
semantics; some preliminary results are in (jAmeloot and den Bussche 2014)) . 

Lastly, we can think about the output of distributed Datalog programs. IMarczak et al.l 
(I2011D dehne the output with ultimate facts, which are facts that will eventually 
always be present on the network. This way, the output of a run (or equivalently 
stable model) can be defined. Then, a consistent program is required to produce 
the same output in every run. For consistent programs, the output on an input 
distributed database instance can thus be defined as the output of any run. We can 
now consider the following decision problem: for a consistent program, an input 
distributed database instance for that program, and a fact, decide if this fact is 
output by the program on that input. We think that decidability depends on the 
semantics of the message buffers. In this paper, we have represented per addressee 
duplicate messages in its message buffer. This is a realistic representation, since in 
a real network, the same message can be sent multiple times, and hence, multiple 
instances of the same message can be in transmission simultaneously. If we would 
forbid duplicate messages in the buffers, then the decision problem becomes decid¬ 
able because only a finite number of configurations would be possible by finiteness 
of the input domain. But when duplicates are preserved, the number of conhgura- 
tions is not limited, and we expect that the problem will be undecidable in general. 

However, we might want to investigate whether decidability can be obtained in par¬ 
ticular (syntactically defined) cases. If so, it might be interesting for those cases to 
find finite representations of the stable models. This could serve as a more intuitive 
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programmer abstraction, or it could perhaps be used to more efficiently simulate 
the behavior of the network for testing purposes. 
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Appendix 
General Remarks 

Let "P be a Dedalus program. Recall from Section 15.1.21 that deduc-p C P is the 
subset of all (unmodified) deductive rules. The semantics of deducp is given by 
the stratified semantics. Although the semantics of deducp does not depend on 
the chosen syntactic stratification, for technical convenience in the proofs, we will 
fix an arbitrary syntactic stratification for deducp. Whenever we refer to the stra¬ 
tum number of an idb relation, we implicitly use this fixed syntactic stratification. 
Stratum numbers start at 1. 


Appendix A Run to Model: Proof Details 

In the context of Section 15.2.21 we show that M is a model of V on input H. 
Let G abbreviate the ground program ground[,j{G, I), where C = pure{V) and 
I = decl{H). To show that M is a stable model, we have to show M = N where 
N = G{decl{H)). The inclusions MCA and ACM are shown respectively in 
Sections lA.ll and IA.21 We use the notations of Section 15.2.21 

A.l Inclusion MCA 

By definition, 

M = decl{H) U u trans^^ ■ 
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We immediately have decl{H) Q N hy the semantics of G. Next, we define for 
uniformity the set trans^ = 0. We will show by induction on f = —1, 0, 1, .. 
that trans^^ C TV. The base case (i = —1) is clear. For the induction hypothesis, 
let i > 0, and assume for all j € {—1, 0, ...,* — 1} that trans^^ C N. We show that 
trans^ C TV. By definition, 

trans^^ = caus^ U fin^ U duc^ U snd^ • 

We show inclusion of these four sets in TV below. Auxiliary claims can be found in 
Section IA.1.51 


A. 1.1 Causality 

We show that caus^ C N. Concretely, let (a;, s) € J\f xN such that (a;, s) -<'ji (xi, Si). 
We show bef ore(a;, s, Xi, Si) € N. We distinguish between the following cases. 

Local edge Suppose {x,s) -X-ji {xi,Si) is a local edge, i.e., x = Xi and Si = s + 1. 
Because rule o is positive, the following ground rule is always in G: 

bef ore(a;, s, a;, s + 1) e— all(a;), tsucc(s, s + !)• 

The body facts of this ground rule are in decl{H) C A; hence, the rule derives 
before(a;, s, a;, s + 1) = bef ore(a:, s, a:^, Si) G N. 

Message edge Suppose (a:, s) -<ti (xi, Si) is a message edge, i.e., there is an earlier 
transition j < i with j = glob'fi{x, s), in which x sends a message / to Xi such that 
ccrO, = b Denote / = R{d). Because rules of the form (fTOll in pure{V) are 
positive, the following ground rule is always in G: 

bef ore(a;, s, Xi, Si) ■(— chosen/{(a;, s, Xi, Si, a)- 

We show chosenfl(a;, s, a;^. Si, a) G JV, so that bef or e(a;, s, a;i, Si) G A, as desired. 
Since j = glob-j^{x, s), we have Xj = x and Sj = s. Also using Si = locxi{i), we have 

chosenfl(a;, s, Xi, Si, d) G snd^^ C trans^^- 

Lastly, we have trans^^ C A by applying the induction hypothesis. 

Transitive edge Suppose (x, s) -Xn (xi, Si) is not a local edge nor a message edge. 
Then we can choose a pair {z,u) G A/" x N such that (x, s) -<ti {z, u) and (z, u) -<ti 
{ xi,Si), but also such that {z,u) -Xn {xi,Si) is a local edge or a message edge. 
Because rule ([8]) is positive, the following ground rule is always in G: 

bef ore(a;, s, Xi, Si) G- before(a;, s, z, u), before(z, u, Xi, Si)- 

We now show that the body of this rule is in A, so that bef ore(a;, s, a;i, Si) G 
A, as desired. Denote j = glob-ji(z, u). First, because {x,s) -<ti {z,u), we have 
before(a;, s, 2 , m) G caus^^. Next, because {z,u) -<ti (xi,Si), we have j < * by 
Lemma[TJ So, by applying the induction hypothesis to j, we have bef ore(a;, s, z, u) G 
A. Secondly, because {z, u) -<ti {xi, Si) is a local edge or a message edge, we have 
before( 2 :, u, Xi, Si) G A as shown in the preceding two cases. 
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A. 1.2 Finite Messages 

We show that fin^^ C N. Let senders^^ be as defined in Section [5.2.21 For each of 
the different kinds of facts in fin^^, we show inclusion in N. 

Senders Let hasSender( 2 ;i, Si, a;, s) € fin^^. We have (a;, s) € senders^, which 
means that x during step s sends some message fact R(a) that arrives in step 
Si of Xi- Rules in pure{V) of the form (1111) have a negative rcvinf-atom in their 
body. But since we have not added any rcvinf-facts to M, including rcvinf Si), 
the following rule is in G: 

hasSender(xi, Si, x, s) ■(— choseni{(a;, s, Xi, Si, a)- 

We are left to show that chosenfl(a;, s, Xi, Si, a) € N. Denote j = globj^{x, s). Using 
that X = Xj and s = Sj, we have chosen/{(a;, s, Si, a) S snd^^ Because j < i 
by the operational semantics, we can apply the induction hypothesis to j to know 
snd|' C N. 

Gomparison of timestamps Let isSmaller(a;i, a;, s) S fin^- We have (a;,s) € 
senders^^ and there is a timestamp s' G N so that (a;, s') G senders^^ and s < s'. 
Rule (fT^ is positive and therefore the following ground rule is always in G: 

isSmaller(a;i, Si, x, s) •«— hasSender(a;i, Si, x, s), hasSender(a;i, Si, x, s'), 

s < s'- 

We immediately have (s < s') G decl{H) C N. By construction of fin^, we also 
have hasSender(a;i, Si, a;, s) G fin.^ and hasSender(a;i, Si, a;, s') G fin^^, and thus 
both facts are also in N as shown above. Hence the previous ground rule derives 
isSmaller(a;i, Si, x, s) G N. 

Maximum timestamp Let hasMax(a;i, Si, a;) G fin^^ Thus a; is a sender-node men- 

Ul Ul 

tioned in senders)^. Let s be the maximum send-timestamp of x in senders)^, which 
surely exists because senders^ is finite. We have not added isSmaller(a:i, Si, x, s) 
to fin^, and thus also not to M. Although rule (fT5l) contains a negated isSmaller- 
atom, isSmaller(a;i, Si, x, s) ^ M implies that the following ground rule is in G: 

hasMax(a;i, Si, x) ■<— hasSender(a;i, Si, x, s)- 

Moreover, (x, s) G senders^^ implies hasSender(xi, Si, x, s) G N, and thus the pre¬ 
vious ground rule derives hasMax(xi, Si, x) G fV, as desired. 

A. 1.3 Deductive 

We show that duc^ C N. By definition, duc^ = where Di is the output 

of subprogram deducp during transition i. Recall from Section 15.1.31 that deducp 
is given the following input during transition i: 


sti{xi) U untag{mi), 






44 


Ameloot et al. 


where sti denotes the state at the beginning of transition i, and rrii is the set 
of (tagged) messages delivered during transition i. If we can show that {sti{xi) U 
C N, then we can apply Claim [5] to know that C N, as 

desired. 

State We first show sti{xi)'^^'’^' C N. There are two cases: 

• Suppose Si = 0, i.e., i is the first transition of TZ with active node Xi. Then 
sti{xi) = H{xi) by the operational semantics, which gives sti[xi)^^'’‘^' C 
decl{H) C TV by definition of decl{H). 

• Suppose Si > 0. Then we can consider the last transition j of Xi that came 
before i. By the operational semantics, we have sti{xi) = stj+i{xi), where 
stj-i-i is the state resulting from transition j. More concretely, sti(xi) = 
H{xi) U induc'p{Dj), with Dj the output of deduc-p during transition j. As 
in the previous case, we already know H{xi)'^^'’^' C ded{H). Now, by apply¬ 
ing the induction hypothesis to j, we have duc^^ C trans^^ C N. Next, by 
applying Claim flOl and by using Si = Sj -I- 1, we obtain 

C A- 

Messages Now we show untag{rrii)^^''^' C N. Let / G untag(mi). We have to show 
that G N. First, because / G untag{mi), there is a transition k with k < i 

such that (fc,/) G mi, i.e., the fact / was sent to Xi during transition k (by node 
Xk)- Denote / = R{a). So, there must be an asynchronous rule with head-predicate 
R in V, which has a corresponding rule in pure{V) of the form (O. Rules of the 
form ([S]) are positive and thus the following ground rule is always in G: 

R{xi, Si, a) G- chosenfl;(a;fc, Sk,Xi, Si, a)- 

We show c'hoseiiii{xk,Sk,Xi,Si,d) G N, so that the rule derives g N, as 

desired. Because Xk sends / to Xi during transition k, and i is the transition in which 

this message is delivered to Xi, we have chosenfl(a;fc, Sk, Xi, Si, d) G snd^^ C trans^^. 

ffcl 

By applying the induction hypothesis to k, we have snd)^ C N. 

A. 1.4 Sending 

We show that snd)^ C N. For each kind of fact in snd)j we show inclusion in N. 

Candidates Let candplxi, Si, y, t, d) G snd^. We have R{y, a) G mesg^^, t gN and 
iud) -An ixi,Si). Since C N (see above), we can use Claim [TT] to obtain 

cand/{(a;i, Si, y, t, a) G N, as desired. 

Chosen Let ch.ose-D.ii{xi, Si,y,t,d) G snd^. We have R{y,d) G mesg^ and t = 
locTi{j) with j = y, R{d)). Because R{y, d) G mesg^^, this fact was produced 
by asyncp, and thus there is an asynchronous rule in V with head-predicate R. 
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This asynchronous rule has a corresponding rule in pure{V) of the form (|3]), that 
contains a negated other/{-atom in the body. But by construction of snd^^, we have 
not added otherii{xi^Si,y,t, d) to snd^, and thus also not to M. Therefore the 
following ground rule of the form (jH) is in G: 

chosenfl;( 2 ;i, s*, y, t, d) t- candu^Xi, Si, y, t, a)- 

Because j > ihy the operational semantics, we have {y, t) 7 ^ 7 ^ (xi, Si) by Lemma[T] 
Thus, by construction of snd^^, we have candfi{xi, Si,y,t^d) G snd^^, in which case 
cand/{(a;i, Si, y, t, d) € N (shown above). Hence, the previous ground rule derives 
chosen 7 i(a;i, Si, y, t, d) G N, as desired. 

Other Let R{y,d) and t be from above. Let other n^Xi, Si,y,u,d) G snd^. We 
have M e N, (j/, u) 7 ^ 7 ^ {xi, Si) and u ^ t. Because rule ([S|) is positive, the following 
ground rule is in G: 

other7i(2;i, Si, y, u, d) G- caxidii{xi, Si, y, u, a), chosen7{(a;j, Si, y, t, d), 

U t- 

We immediately have {u ^ t) G decl{H) C N. Now we show that the other body 
facts are in TV, so the rule derives others (a;^, Si, y, u, d) G N, as desired. Because 
(y, u) (xi^ Si), by construction of snd^^, we have cand7j(a;i, Si, y^ u, d) G snd^^ 
and thus cand}i(xi, Si, y, u, d) G N (shown above). Moreover, it was shown above 
that chosenTi)*^, Si, y, t, d) G N. 


A. 1.5 Subclaims 


Glaim 8 

Let i be a transition of TZ. If (sti{xi) U untag{mi))'^^''^' C N, then C TV. 


Proof 

Abbreviate li = sti{xi) U untag{mi). Recall that Di = deduc-p{Ii), which is com¬ 
puted with the stratified semantics. 

For fc G N, we write to denote the set obtained by adding to A all facts 
derived in stratum 1 up to stratum k during the computation of Di. For the largest 
stratum number n of deduc-p, we have D^'^ = Di. Also, because stratum numbers 
start at 1, we have D~^^ = f. We show by induction on fc = 0, 1, 2, ..., n, that 

Base case For the base case, k = 0, the property holds by the given assumption 

g 

Induction hypothesis For the induction hypothesis, assume for some stratum num¬ 
ber k with T: > 1 that C N. 
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Inductive step For the inductive step, we show that C N. Recall that 

the input of stratum k in deduc-p is the set and the semantics is given 

by the fixpoint semantics of semi-positive Datalog^ (see Section [3.2.21) . So, we can 
consider to be a fixpoint, i.e., as the set with Aq = and 

AI = T{Ai-i) for each 1 > 1, where T is the immediate consequence operator of 
stratum k. We show by inner induction on I = 0, 1, etc, that 

For the base case (1 = 0), we have for which we can apply the outer 

induction hypothesis to know that C N, as desired. For 

the inner induction hypothesis, we assume for some I > 1 that C N. 

For the inner inductive step, we show that C N. Let f € Ai \ Ai-i. 

Let ip G deducp and F be a rule from stratum k and valuation respectively that 
have derived /. Let (p' be the rule in pure{V) obtained by applying the transfor¬ 
mation o to (fi. Let V be V extended to assign Xi and Si to the new variables in 
if' that represent the location and timestamp respectively. Note in particular that 
V'(pos^,) = V(pos^)'^^'’^' and V'{neg^,) = V{neg^)^^''’^G Let ^ be the positive 
ground rule obtained by applying V' to ip' and by subsequently removing all nega¬ 
tive (ground) body atoms. We show that ip G G and that its body is in N, so that 
Ip derives headTp = g N, as desired. 

In order for ip to be in G, it is required that V'{neg^,) n M = 0. Because V is 
satisfying for ip, and negation in ip is only applied to lower strata, we have V{neg,^)C\ 
— 0. Moreover, since a relation is computed in only one stratum of deducp, 
we overall have V{neg,^)r\Di = 0. Then by ClaimlSlwe have V (neg^)^^’’®’ DM = 0. 
Hence, 

V'{neg,^,) n M = 0- 

Now we show that pos^ C N. Because V is satisfying for ip, we have V{pos,^) C 
Ai-i, and by applying the inner induction hypothesis we have C N. 

Therefore, = V'{pos,p,) C N. 

□ 


Glaim 9 

Let i be a transition of TZ. Let / be a set of facts over schipP). If / D Hi = 0 then 
/ 1 YX..®. n M = 0. 

Proof 

If a fact f G M is over schema sch{'P)^'^ and has location specifier Xi and timestamp 
Si then / G duc^ because (i) for any transition j there are no facts over schifP)^^ 
in caus^^, fin^^ or snd^^; (ii) we only add facts with location specifier Xi to duc^^ if 
j is a transition of node xp, and, (Hi) for every transition j of node Xi, if i ^ j then 
loc-jiij) 7 ^ «*■ 

Hence, it suffices to show /f''^‘’®*nduc^ = 0. But this is immediate from IflDi = 0 
because duc^ equals by definition. □ 
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Claim 10 

Let i be a transition of TZ. Let Dj be the output of deduc-p during transition j. 
Suppose duc^^ C N. We have inducp{Dj)'^^j’^i~^^ C N. 

Proof 

Let / G inducp{Dj). Let (p G inducp and V respectively be a rule and valuation 
that have derived /. Let ip' be the rule in pure(P) that is obtained after applying 
transformation Q to p. Thus, besides the additional location variable, the rule 
p' has two timestamp variables, one in the body and one in the head. Moreover, 
the body contains an additional positive tsucc-atom. Let V be V extended to 
assign Xj to the location variable, and to assign timestamps Sj and Sj + 1 to the 
body and head timestamp variables respectively. Let if be the positive ground 
rule obtained from p' by applying valuation V and by subsequently removing all 
negative (ground) body atoms. We show that G G and that its body is in fV, so 
that if derives head^ = g _/V, as desired. 

For f} to be in G, we require V{neg^,)ri M = 0. Since V'{neg^,) = V{neg^)'^'’'^’''L 
it suffices to show D M = 0. Because V is satisfying for p, we have 

V{neg^) fl Dj = 0. Then, by Claim[n]we have fl M = 0. 

Now we show V'{pos^,) C N. The set V'{pos^,) consists of the facts V{pos^)'^'''^’‘‘^ 
and the fact tsucc(sj,Sj + 1). The latter fact is in decl{H) and thus in N. For 
the other facts, because V is satisfying for p, we have V(pos^) C Dj and thus 
V(pos^)'^''^i’''i' C = duc^^ And by using the given assumption duc.^^ C A, 

we obtain the inclusion in N. 

□ 


Claim 11 

Let i be a transition of TZ. Suppose C N. For each R{y, a) G mesg^^ and 

timestamp t gN with {y, t) yi.'p (xi, Si) we have 

candij(a;j, s^, y, t, a) G N- 


Proof 

By definition of mesg^^, we have R{y,d) G async-p{Df). Let p G async-p and 
F be a rule and valuation that have produced R{y, a). Let p' GV he the original 
asynchronous rule on which p is based. Let p" G pure{V) be the rule obtained from 
p' by applying transformation Q. Let V" be valuation V extended to assign Xi 
and Si to respectively the sender location and sender timestamp of p", and to assign 
y and t respectively to the addressee location and addressee arrival timestamp. Let 
if denote the positive ground rule that is obtained from p" by applying valuation 
Y" and by subsequently removing all negative (ground) body atoms. We show that 
if G G and that its body is in A, so that if derives head^ = candfl(a;i, Si,y,t^d)G 
A, as desired. 
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For '0 to be in G, we require V"{neg^,i) n M = 0. By construction of the set 
V"{neg^i,) consists of the facts V(neg^)'^^'’^' and the fact bef ore( 2 /, t, Xi, Si). First, 
because V is satisfying for (p, we have V{neg^) fl A = 0, and thus V n 
M = 0 by Claim 0 Moreover, we are given that {y,t) {xi,Si), and thus we 
have not added before(j/, t, Xi, Si) to caus^, and by extension also not to M (since 
caus^ is the only part of M where we add before-facts with last two components 
Xi and Si). Thus overall V"{neg^,i) n M = 0, as desired. 

Now we show V"{pos^„) C N . By construction of p" , the set V"{pos^„) consists of 
the facts V{pos^p)'^^*’‘‘\ all( 2 /) and time(t). First, we immediately have time(t) € 
decl{H) C N. Also, by definition of mesg^^, y is a valid addressee and thus all(j/) € 
decl{H) C N. Finally, because V is satisfying for p, we have V(pos^) C A- 
Thus V(pos^)'^^'’^' C and we are given that C N. Thus overall 

V"{pos^„) C N. 

□ 


A.2 Inclusion ACM 

In this section we show that A C M. By definition, A = G{decl{H)). Following 
the semantics of positive Datalog^ programs in Section 18.2. 11 we can view A as 
a fixpoint, i.e., A = UieN-^b where Aq = decl(H), and for each I > 1 the set A; 
is obtained by applying the immediate consequence operator of G to Ai_i. This 
implies Ni-i C Ni for each I > 1. We show by induction on I = 0, 1, ..., that 
A; C M. For the base case {I = 0), we immediately have Aq = decl{H) C M. 
For the induction hypothesis, we assume for some I > 1 that Ni-i C M. For the 
inductive step, we show that A; C A. Specifically, we divide the facts of Aj \ A;_i 
into groups based on their predicate, and for each group we show inclusion in M. 
As for terminology, we call a ground rule ip & G active on A;_i if pos.^ C A;_i. 
The numbered claims we will refer to can be found in Section IA.2.51 

A. 2.1 Gausality 

Let before(a;, s, ?/, t) G Ni \ Ai_i. It is sufficient to show that {x,s) -<ti {y,t) 
because then before(a;, s, y, t) G caus^^ C M where i = globj^^y, t). We have the 
following cases: 

Local edge The before-fact was derived by a ground rule in G of the form Q (local 
edge). This implies x = y and t = s -|- 1. Then (x, s) -<n {y, t) by definition of <u- 

Message edge The before-fact was derived by a ground rule in G of the form cni) 
(message edge): 

bef ore(a;, s, y, t) 4— chosenfl;(2:, s, y, t, a)- 

Since this rule is active on Aj_i, we have chosenfl(a;, s, j/, t, a) G Aj_i. By ap¬ 
plying the induction hypothesis, we have chosenfl(a;, s, j/, t, a) G M. Denoting 
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j = glob^{x, s), the set snd^^ is the only part of M where we could have added this 
fact. This implies that x during its step s sends a message to y, and this message 
arrives at local step t of y. Then {x, s) -<ti {y, t) by definition of -<ti. 

Transitive edge The before-fact was derived by a ground rule in G of the form ([5]) 
(transitive edge): 

bef ore(j;, s, y, t) ^ bef ore(a;, s, z, u), bef ore(2, u, y, <)• 

Since this rule is active on Ni-i, its body facts are in Ni-i. By applying the induc¬ 
tion hypothesis, we have bef ore(x, s, m) S M and bef ore(z, m, j/, tl G M. The 
only places we could have added these facts to M are in the sets caus)j and caus)^^ 
respectively, where j = glob^{z, u) and k = glob-ji{y, t). By construction of the sets 
caus^^ and caus^^ we respectively have that ( 2 ;, s) -<tz (z, u) and ( 2 , u) -<ti {y, t), 
and thus by transitivity (x, s) -<-ji (y, t), as desired. 

A.2.2 Finite Messages 

Senders Let hasSender(a;, s, y, t) € Ni\Ni-i. This fact can only have been derived 
by a ground rule in G of the form (ED: 

hasSender(x, s, y, t) •<— chosenfl(2/, t, x, s, a)- 

Since this rule is active on Ni-i, we have chosenji^y, t, j;, s, a) € By applying 

the induction hypothesis, we have chosenff(y, t, x, s, a) € M. We can only have 
added this fact in the set snd^^ with i = globji{y, t). This means that y during its 
step t sends a message R{d) to x, and this message arrives during step s of x. Hence, 
denoting j = globq^{x, s), we have (y, t) € senders^^ (with senders^^ as defined in 
Section 15.2.21) . Thus we have added the fact hasSender(a;, s, y, t) € fin^^ C M, as 
desired. 

Gomparison of timestamps Let isSmaller(2:, s, y, t) € Ni\Ni-i. This fact can only 
have been derived by a ground rule in G of the form m- 

isSmaller(a;, s, 2/, t) <r- hasSender(a;, s, y, t), hasSender(a;, s, ?/, t^), 

t < t'- 

Since this rule is active on lV;_i, its body facts are in Ni-i. By applying the induc¬ 
tion hypothesis, we have hasSender(a;, s, y,t)GM and hasSender(a;, s, y, t') € M. 
The only part of M where we could have added these facts is the set fin^^ with 
i = globq^{x, s). By construction of the set fin^, this implies that (y, t) G senders^^ 
and {y, t') G senders^. Because {t < t') G we more specifically know that {t < 
t') G decl{H), which implies t < t'. Thus we have added isSmaller(2;, s, y, <) G 
fln^^, as desired. 

Maximum timestamp Let hasMax(a;, s, y) € Ni \ Ni-i. This fact can only have been 
derived by a ground rule in G of the form ED: 

hasMax(a:, s, y) <— hasSender(a:, s, y, t)- 
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Since this rule is active on we have hasSender( 2 ;, s, y, t) € By applying 

the induction hypothesis, we have hasSender(a;, s, y, t) G M. The only part of M 
where we could have added this fact, is the set fin^^ with i = glob-^{x,s). Thus 
{y, t) G senders^^, and y is a sender-node mentioned in senders^^. Hence, we have 
added hasMax( 2 ;, s,y) € fin^^ C M, as desired. 

Receive infinite Let rcvinf (a;, s) € Ni \ Ni_i. This fact can only have been derived 
by a ground rule in G of the form (fTT)! : 

rcvinf (a;, s) hasSender(a;, s, y, t)- 

Since this rule is active on we have hasSender(a;, s, y, t) G By applying 

the induction hypothesis, we have hasSender(a:, s, y, t) G M. The only part of M 
where we could have added this fact, is the set fin^^ with i = glob-^{x,s). Thus 
{y, t) G senders^^ Moreover, because the rule (fill) contains a negative hasMax-atom 
in the body, and the above ground rule is in G, it must be that hasMax(a:, s, y) ^ 
M, and thus hasMax(a:, s, ?/) ^ But since y is a sender-node mentioned in 

senders.^, the absence of hasMax(a;, s, ?/) from fin^^ is impossible. Therefore this 
case can not occur. 


A.2.3 Regular Facts 

Let R{x,s,a) G {Ni \ . The fact R{x,s,a) has been derived by a 

ground rule tp G G that is active on Ni-i. Because tp G G, there is a rule ip G 
pure{V) and valuation V such that ip is obtained from ip by applying V and by 
subsequently removing the negative (ground) body atoms, and such that V{neg^)n 
M = %. We have the following cases: 

Deductive Rule ip is of the form ©■ Let ip' G deduc-p be the original deductive rule 
corresponding to ip. By construction of ip out of ip', we can apply valuation V to 
ip' as well. Denote i = globq^{x,s). We will show now that V is satisfying for p' 
during transition i, which causes V{headip') = R{d) G Di to be derived, and we 
obtain as desired: 

R{x, s, d) G = duc.^ C M- 

By definition of syntactic stratification, relations mentioned in pos^, are never com¬ 
puted in a stratum higher than R, and relations mentioned in neg^, are computed 
in a strictly lower stratum than R. Thus, it is sufficient to show that V (pos^,) C Di 
and V{neg^i) (1 Di =0. 

First we show V{pos^,) C Di. Because p is of the form ([T]), all facts in V{pos^) 
are over sch{V)^'^ and have location specifier x and timestamp s. Moreover, since 
Ip is active on Ni-i, we have pos^ = V{pos^) C W-i- By applying the induction 
hypothesis, we have V{pos^) C M, and thus V{pos^)^ C Di by Claim[T21 We thus 
obtain V{pos^,) C Di since V{pos^)^ = Vppos^,). 

Next we show V(neg^,)nDi = 0. Because p is of the form ([T]), all facts in V(neg^) 
are over sch{V)^'^ and have location specifier x and timestamp s. Moreover, by 
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choice of ip and V, we have V{neg^^) n M = 0, and thus V{neg^)^ fl A = 0 by 
Claim[T31 We thus obtain V{neg^,) fl Hi = 0 since V{neg^)^ = V{neg^,). 

Inductive Rule ip is of the form Let if' € induc-p be the rule corresponding to 
ip. First, if) contains in its body a fact of the form tsucc(r, s). Since ip is active on 
W-i, we have tsucc(r, s) € W-i and more specifically, tsucc(r, s) € decl{H). This 
implies that s = r + 1 . Denote i = glob'j^{x, r) and j = globp{x, s). Since s = r + 1 , 
there are no transitions of node x between i and j. By the relationship between ip 
and ip\ we can apply V to ip' , and we will now show that V is satisfying for ip' 
during transition i. This results in V{head^') = R{d) G inducp{Di) C sti+i{x), 
and since sti+i{x) = stj(x) C Dj, we obtain R{x,s,d) G = duc^^ C M, as 

desired. 

First we show V{pos^,) C A. Denote I = V{pos^)\sc.h{v)^'^ ^ which allows us to 
exclude the extra tsucc-fact in the body. All facts in I have location specifier x 
and timestamp r. Because ip is active on Aj_i, we have / C pos^ C Ai_i, and by 
applying the induction hypothesis, we have I C M. Thus C Di by Claim IT^ 
Hence, V{pos^,) = C A- 

Secondly, showing that V{neg^,) fl A = 0 is like in the previous case, where ip 
is deductive. 

Delivery Rule ip is of the form ([H]). Then ip concretely looks as follows, where (j/, t) G 
ATx N: 

R(a;, s, d) ^ chosenfl(j/, t, x, s, d)- 

Since ip is active on Aj_i, we have chosenfl(j/, t, x, s, d) G A-i, and by applying 
the induction hypothesis, we have chosen/{( 2 /, t, x, s, d) G M. The only part of M 
where we could have added this fact, is snd^^ with i = globp{y, t). This implies that 
X will receive i?(a) during its local step s, thus during transition j = globj^{x, s). 
Then, by the operational semantics, we have R{d) G untag(mj) C Dj. Hence, 
R{x, s, d) G = duc.^^ C M. 


A.2.4 Sending 

For a transition i of TZ, let Di denote the output of subprogram deducp during 
transition i. 

Candidates Let candfl;(a;, s, y, t, d) G Ni\ Aj_i. The fact candfl(a;, s, j/, t, d) is de¬ 
rived by a ground rule ip G G of the form ([HI) that is active on Ni-i. Because 
Ip G G, there is a rule ip G pure{P) and a valuation V such that ip is ob¬ 
tained from ip by applying valuation V and by subsequently removing the negative 
(ground) body atoms, and so that V{neg^) n M = 0. Denote i = globj^{x,s). 
It is sufficient to show that R{y, d) G mesg^^ and {y,t) yPp {x,s), because then 
candfl(j;, s, y, t, d) G snd^ C M, as desired. 

First, we show (j/, t) {x, s). Because there is a negative before-atom in (/?, the 
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existence of "0 in G implies that bef ore( 2 /, t, x, s) ^ M . Hence, bef ore(j/, t, x, s) ^ 
caus^. Then by construction of caus^^ we obtain (y, t) {x, s). 

Secondly, we show R{y, a) € mesg^^. Let (p' € V he the original asynchronous 
rule on which (p is based. Let p" € asynop be the rule corresponding to p'. It 
follows from the constructions of p out of p' and p” out of p' that valuation V 
can be applied to p” . Note, V{head^ii) = R{y,d). We show that V is satisfying 
for p" during transition i on Di, which gives R{y, d) € asyncp{Di). Moreover, the 
body of Ip contains the fact all( 2 /) G decl{H), and thus y € N, making y a valid 
addressee. Hence, R{y, d) G mesg^, as desired. 

We have to show C Di and V{neg^„) fl A = 0- Abbreviate A = 

y{pos^)\sch{rAT and h = L(neg^)UftCP)LT. Note, = V{pos^„) and if = 
V(neg^,,). All facts in R U R have location specifier x and timestamp s. 

• Because ip is active on Aj_i, we have R C pos^ C A;_i, and thus A C M by 
the induction hypothesis. Then V(pos^„) = if C Di by Claim [T^ 

• By choice of p and V, we have A n M = 0. Then fl = 0 by Claim [1^1 
giving V{neg^„) n A = 0- 

Chosen Let daosenn^x, s, y, t, d) G Ni\ Ni-i. This fact is derived by a ground rule 
■0 in G of the form (jl]): 

chosenfi^x, s, y, t, d) G- cajid/i( 2 ;, s, y, t, a)- 

Denote i = globp{x, s). We show that R{y, d) G mesg^ and that t is the actual 
arrival timestamp of this message at y. Then chosenfi^x, s, y, t, d) G snd^ C M , 
as desired. 

First, since ip is active on A;_i, we have caxidp^x, s, y, t,d) G A;_i, and thus 
cand/j(j;, s, y, t,d) G M by the induction hypothesis. The set snd^^ is the only part 
of M where we could have added this fact, which implies R{y, d) G mesg^^ and 
{y,t) T^n {x,s). 

We are left to show that t is the actual arrival timestamp of the message. Because 
Ip G G, there is a rule p G pure(V) and valuation V such that ip is obtained from 
p by applying V and by subsequently removing the negative (ground) body atoms, 
and so that F(neg^) C M = 0. Now, because rule p contains a negative other/j- 
atom in its body, we have other/{(3;, s, y, t,d) ^ M and thus otherfl(a;, s, y, t, d) ^ 
snd^. Since R{y, d) G mesg^^ and {y, t) {x, s) (see above), the absence of this 
other/j-fact from snd.^ can only be explained by the following: t = locTi{j) with 
j = aTi{i, y, R(d)), as desired. 

Other Let otherfl(a;, s, y, t, d) G Ni \ Ni-i. This fact is derived by a ground rule ip 
of the form ([5]): 

otherfl( 2 ;, s, y, t, d) G- caxidii{x, s, y, t, a), chosenfl(j;, s, y, t', a), 

t ^ t'- 

We have ca.ndii{x,s,y,t,d) G A;_i and chosenii{x,s,y,t',d) G Ni-i since ip is 
active on A;_i, and these facts are thus also in M by the induction hypothesis. 
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Denote i = glob-j^{x, s). The only part of M where we could have added these 
Ccindfl- and chosen^-facts to M, is the set snd^^ First, candfl(a;, s, y, t, d) € snd^ 
implies that R{y, d) € mesg^ and {y, t) yi.-n (x, s). Second, chosenfl(j;, s, y, t', d) G 
snd^ implies that t' is the real arrival timestamp of the message R{d) at y. Finally, 
since if} is active, we have {t ^ t') G decl{H), and thus t ^ t'. Therefore we have 
added otherij(j;, s, y, t, d) to snd^ C M, as desired. 

A.2.5 Subclaims 

Claim 12 

Let / be a set of facts over sch{'P)^'^, all having the same location specifier x G Af 
and timestamp s G N. Denote i = globj^{x, s). If / C M then 0 C Di, where Di 
denotes the output of subprogram deduc-p during transition i of TZ. 


Proof 

The only part of M where we add facts over sch{V)^'^ with location specifier x and 
timestamp s is duc^. Hence / C duc^^ = Df^’^ and thus C Di. □ 


Claim 13 

Let / be a set of facts over sch{'P)^'^, all having the same location specifier x G Af 
and timestamp s G N. Denote i = globj^{x, s). li I H M = 0 then n Di = 0, 
where Di denotes the output of subprogram deducp during transition i of TZ. 


Proof 

First, IC\M = % implies /flduc^^ = 0 because duc^^ C M. And since duc^^ = , 

we have = 0. Finally, since the facts in DJD^^’^ all have the same location 

specifier x and timestamp s, we obtain r\ Di =%. □ 


Appendix B Model to Run: Proof Details 

Consider the definitions and notations from Section 15.31 In this section we show 
that 7^ is a run of V on input H, and that trace{TZ) = M|sc?i(-p)lt. We do this in 
several parts, where each part is placed in its own subsection: 

• in Section [R^ we show po = startifP, H); 

• in Section IB.31 we show that every transition of TZ is valid; and, 

• in Section FB.41 we show trace{TZ) = M|sc?i(p)lt. 

Before we start, the next subsection gives definitions and notations. The numbered 
claims we will refer to can be found in Section IB.51 
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B.l Definitions and Notations 

Using notations of Section IB. 2 . 31 let G be the ground program groundj^j{C , I) 
where C = pure{V) and / = decl{H). By definition of M as a stable model, we 
have M = G{I). 

Let (fi € pureiV) be a rule having its head atom over sch{V)^"^. From the con¬ 
struction of pure{V), we know that p belongs to exactly one of the following three 
cases: 

• is of the form |ID,i.e., deductive, recognizable as a rule in which only atoms 
over sch{V)^'^ are used, and in which the location and timestamp variable in 
the head are the same as in the body; 

• is of the form 0, i.e., inductive, recognizable as a rule with a head atom 
over sch(V)^"^ and a tsucc-atom in the body; 

• v? is of the form ([6]), i.e., a delivery, recognizable as a rule with a head atom 
over sch{'P)^'^ and a chosen/j-fact in the body (with R the head-predicate). 

The same classification of deductive, inductive and delivery rules can also be applied 
to the (positive) ground rules in G that have a ground head atom over sch{V)^'^ . 

Recall from the general remarks at the beginning of the appendix that we are 
working with a fixed (but arbitrary) syntactic stratification for the deductive rules. 
Stratum numbers start at 1. It p £ pureiV) is deductive, we can uniquely identify 
its stratum number as the stratum number of the original deductive rule in V on 
which p is based. Similarly, for deductive ground rules, we can also uniquely identify 
the stratum number as the stratum number of a corresponding non-ground rule in 
vureiViV^ 

We call a ground rule tp £ G active if pos^ C M, which implies that head^ G M 
because M is stable. Now we define the following subsets of M: 

• j\^duc,fc. head facts of all active deductive rules in G with stratum number 
less than or equal to fc; 

• the head facts of all active inductive rules in G; 

• the head facts of all active delivery rules in G. 

This allows us to classify the facts in M|sc?iCp)lt as being derived in a deductive 
manner, an inductive manner or being message deliveries. We also define: 

M‘‘ = M|edb(p)LT U U 

For {x, s) G Af xN, we write to abbreviate . So intuitively, when 

we select the facts with location specifier x and timestamp s, we are only interested 
in facts that provide these two components, which are the facts over sch{'P)^'^. 

Intuitively, for i G N, the set (M^)|^‘’®‘ is the input for the deductive rules 
during local step Si of node Xi, consisting of (i) the edb-facts; (ii) the facts derived 


We say a rather than the corresponding rule because there could be more than one. Indeed, 
multiple original deductive rules in pure('P) could be mapped to the same positive ground rule 
after applying a valuation and removing their negative ground body atoms. But in any case, 
these non-ground rules will have the same head predicate. Hence, they have the same stratum. 
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by inductive rules during a previous step (if any) of Xi] and, (in) the delivered 
messages. The deductive rules then complete this information by deriving some 
new facts, that are visible within step Si of Xi. 

For a transition number i of TZ, (i) we denote the source-configuration of tran¬ 
sition i as Pi = {sti,bf^); (ii) we denote the set of (tagged) messages delivered 
in transition i as mp, and, (in) we denote Di = deduc-p(sti(xi) U untag(mi)). For 
a number fc S N, we write to denote the set of facts obtained by adding to 
sti{xi)U untag (mi) all facts derived in stratum 1 up to stratum k during the compu¬ 
tation of Di. To mirror this notation, we write to denote the set 

For uniformity in the proofs, we will consider the case fc = 0, which is an invalid 
stratum number, and this gives D^^ = sti(xi) U untag{mi) and = M^. 

B.2 Valid Start 

We show that po = start(V, H). Denote po = (sto, ^/o)- Let x £ M. First we show 
sto(x) = H{x). By definition, 

s<o(^) = ((Mu,,(p)LT)r’^ u 

with s = Iocm{0, x). Note, s = 0 because no elements of TVxN with first component 
X have an ordinal strictly less than 0 in the total order <m- Now, there can be no 
ground inductive rules in G that derive facts with head timestamp 0 because it 
follows from the construction of decl(H) that the second component of a tsucc- 
fact is always strictly larger than 0. Therefore = 0, and thus sto{x) = 

{iM\edb{v)^'^W’‘)^■ Then by Claim [T3] we have 5 ^ 0 ( 2 :) = (H= H{x), as 
desired. 

Now we show &/o(a;) = 0. By definition, 5/o(a;) is 

{{glob^iy, t), R{d)) \ 3u : chosen_R( 2 /, t, x, u, d) £ M, 
globj^iy, t) <0 < globf^{x, m)}- 

By definition of function glob]i^{-), all facts of the form chosenij( 2 /, t, x, u,d) £ M 
satisfy glob]^{y, t) > 0. Hence, 5/o(a:) = 0- 

We conclude that po = start{'P, H). 

B.3 Valid Transition 

Let * € N. We show that {pi,Xi,mi,i, pi+i) is a valid transition. Denote pi = 
ist„bf.j_) and pi+i = (st,+i, 6/,+i). 

We start by showing mi C bf^(xi). Let (j,/) £ mi. By definition of m^, there 
is a fact of the form chosenuly, t, z, u, d) £ M with globj^flz, u) = i such that 
j = glob]^f{y, t) and / = R{d). Note, globj^{z, u) = i implies z = Xi and u = Si. 
Now, because rules in pure(V) of the form (fTI])) are always positive, the following 
ground rule is in G, which is of the form cni): 

bef ore(j/, t, Xi, s*) ^ choseni{( 2 /, t, Xi, Sj, a)- 
Since its body is in M, this rule derives bef ore( 2 /, t, Xi, Si) £ M . Hence (y, t) -<m 
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{xi, Si) by definition of -<m- Moreover, <m respects -<m, and thus {y, t) <m {xi, Si), 
which implies glob^{y,t) < glob^{xi, Si). And since globf^(xi, Si) = i, we overall 
have 

glob^iy, t) < i < glob^ixi, s^)■ 

Therefore (j,/) € bf^{xi). 

Now, because rrii C bf^{xi), and because transitions are deterministic once the 
active node and delivered messages are fixed, we can consider the unique result 
configuration p = {st, bf) such that (p^, Xi,mi, i, p) is a valid transition. We are left 
to show Pi+i = P- We divide the work in two parts: for each x G A/”, we show that 
(i) s<*+i(x) = st{x), and (ii) bf^^^{x) = bf{x). 

B.3.1 State 

Let X € N. We show sti^i(x) = st(x). Denote s = locMii + 1) x). By definition, 
sU+,ix) = {iMUivA-)r U • 

Case X ^ Xi- By definition, st{x) = sti{x). Hence, it suffices to show s<i+i(a;) = 
sti{x). Since x ^ Xi, the number of pairs from Af xN containing node x that come 
strictly before ordinal * + 1 is the same as the number of pairs containing node 
X that come strictly before ordinal i. Formally: s = locM^i + 1 , 3 ;) = locM^hx). 
Thus the right-hand side in the previous equation equals sti{x), and the result is 
obtained. 

Case X = Xi- By definition, st{x) = H{x) Li induc-piDi). Referring to the definition 
of sti^i{x) from above, by Claim [HI we have 

If we can also show = inducp{Di)'^^'^, then we overall have, as desired: 

su+,{x) = 

= H{x) LI inducp{Di) 

= st{x)- 

Since x = Xi, we have s = locM(.i + l,a;i) = locM{i,Xi) + 1, and using that 
locuihXi) = Si (Claim [15]), we have s = + 1. Now, Claim ITfil and Claim [T9| 

together show . 


B.3.2 Buffer 

Let X gJV. We show bf^_^_i{x) = bf{x). Denote 
R{d)) I R{x, a) G asynop(£>i)}- 

Like in the operational semantics, denotes the (tagged) messages that are sent 
to X during transition i. 
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Case X ^ Xi- By definition, bf{x) = bf^{x) U We start by showing bf{x) C 

bf^+l{x)■ Let (j,/) G bf{x). Denote / = R{d). 

• Suppose (j,/) G bf^{x). By definition of bf^{x), there are values j/ G W, t G N 
and M G N such that chosenfl(?/, t,x, u,d) G M and j = globj^{y, t) < i < 
globf^{x, u). Now, since x ^ Xi, we more specifically have i < globj^{x^u) 
and thus i + 1 < glohj^{x, u). Therefore (j,/) G 6/j_|_]^(a;), as desired. 

• Suppose (j,/) G 6^^^. By definition of 6’’^^, this implies j = i and R{x, a) G 
asynop{Di). Then (j,/) = {i,R{d)) G bf^_^_i{x) by Claim[2ni as desired. 

Secondly, we show bf^_^_i{x) C bf{x). Let (j,/) G 5/j+i(a;). Denote / = R{d). 
By definition of bf^_^_i{x), there are values y G N, t G M and u G M such that 
chosenfl(?/, t, a;, u, a) G M and j = globj^f{y,t) < * + l < globj^{x,u). So j < i. 
We have the following cases: 

• Suppose j < i. Thus globj^^{y,t) < i. This immediately gives (j,/) G bfi{x) C 
bf{x), as desired. 

• Suppose j = i. Then R{x, d) G async-p(Di) by Claim [211 This implies that 
(j,/) = (*, R{d)) G (5*^^ C bf{x), as desired. 

Casex = Xi- By definition, &/(a;) = {bf ^{x)\mi)yJ5^^^. Some parts of the reasoning 
are similar to the case x ^ Xi. We refer to shared subclaims where possible. 

We start by showing bf{x) C bf^_^_i{x). Let (j,/) G bf{x). Denote / = R{d). We 
have the following cases: 

• Suppose 0',/) G bf^{x) \ m,. Thus (j,/) G bf,{x) and (j,/) ^ m,. Here, 
U:f ) G bf^{x) implies there are values y G Af, t G N and m G N such that 
ch.oseiLfi{y,t,x,u,d) G M and j = glob^{y,t) < i < globj^{x,u). Also, 
{hf) ^ implies globj^{x, u) ^ i. Hence, z + 1 < globj^{x, u) and we obtain 
(j,/)G6 /,+i(x), as desired. 

• Suppose 0',/) G (5®“*'^. By definition of <5®“®'^, we have j = i and R{x, a) G 
asynop{Di). By Claim 1201 we then have {i,R{d)) G bf^^i{x), as desired. 

Secondly, we show bfi_^_i{x) C bf{x). Let (j,/) G bf^^i{x). Denote / = R{d). 
By definition of bf^^i{x), there are values y G Af, t G N and m G N such that 
chosen/i(j/, t, x, u,d) G M and j = glob^{y, t) < i-\-l < globj^{x, u). Now we look 
at the cases for j : 

• Suppose j < i. This gives us globj^{y,t) < i < globj^{x, u), which implies 
(j)/) S bf^(x). Moreover, i + 1 < globf^(x, u) gives globj^{x, u) ^ i. Hence, 
(j:/) ^ Taken together, we now have (j,/) G bf^{x) \ C bf{x). 

• Suppose j = i. Then {i,R{d)) G bf^^i{x), and by Claim |2T]we obtain that 
R{x,d) G async-p{Di). Therefore (j,/) = {i,R{d)) G (5®^^ C bf{x), as de¬ 
sired. 
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B.4 Trace 

In this section we show trace{TZ) = Recall from Section 15. 1.51 that 

trace{n) = (J 

ieN 

For each i G N, locnii) is the number of transitions in 72. before i in which xi is also 
the active node. From the construction of 72 we know Iocti{i) = locM{h s^i); indeed, 
locMih Xi) counts the number of pairs in TV x N with node Xi that have an ordinal 
strictly smaller than i, which is precisely the number of transitions in 72 with active 
node Xi that come before i. Moreover, by Claim [T5l we have locM{h Xi) = sp Hence, 

trace{TZ) = 

ieN 

Thus, by Claim \n[ 
trace{n) = |J 

ieN 

For the next step, let us denote A = {(a;i,Si) | i G N}. We show A = Af x N. 
First, we have H C A/" x N because Xi G J\f and Si G N for each i G N. Now, let 
{x, s) G A/” X N. Denote i = globf^[x^ s). By definition, Xi = x and Si = s. Hence 
{x, s) = {xi, Si) G A. Now we may write: 

trace{n) = |J M\^’‘ 

{x,s)€.A 

y 

(rc,s)GA/’xN 

Finally, because M is well-formed (see Section [5?!?| . for each R{v, w, a) G M|gc?iCP)LT 
we have v G Af and w G N. We obtain, as desired: 

trace{TZ) = 


B.5 Subclaims 

Claim 14 

Let X G Af and s G N. We have (M|g^f,(p)LT)|^’® = H{x)^^^^. 

Proof 

First, by construction of decl{H) we have {decl{H)\f.j^i,(^-p)-LT)\^'‘‘ = 7L(a;)'^^’®. Be¬ 
cause decl{H) C M, and because facts over edb{V)^'^ can not be derived by rules 
in pure{V), we have M|g(;j(-p)LT = decl{H)\f,^^'p'^oT. Hence, 

= [ded{H)U(vAAV'^ = H{x)^^^^- 

□ 
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Let « G N. We have Si = locM{i, xt). 
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Proof 

Recall that {xi, Si) G WxN is the unique pair at ordinal i in <m, i-e., glob^{xi, Si) = 
i. Suppose we would know for all s G N and t G N that s < t implies globf^{xi, s) < 
globj^{xi, t). Then locM{i,Xi), which is 

|{s G N I globM{x,s) < i}|, 

is precisely 

|{s G N I s < Si}|- 

The latter is just Si. 

We are left to show for any s G N and f G N that s < t implies globi,^{xi, s) < 
globj^{xi, t). It is actually sufficient to show for any s G N that (xi, s) -<m {xi, s + 1). 
Indeed, this would imply for any t G N with s < t that 

(a;*, s) -<M {Xr, s + 1) +M (+, S + 2) +m ■ • ■ +m (+, t)- 

And since +m is a partial order, it is transitive, and thus (xi,s) -<m {xi,f). 
Next, since <m respects -<m, we obtain {xi,s) <m ixi,t) and thus globf^{xi, s) < 
glob^(xi, t), as desired. To show {xi, s) +m (xi, s + 1), we observe that the rule (l7|) 
in pureiV) is positive. Hence, for any s G N, the following ground rule is always 
in G, and it derives bef ore(a;i, s, a;^, s + 1) G M because all(a;i) G decl{H) and 
tsucc(s, s + 1) G decl{H)\ 

bef ore(a;i, s, Xi, s + 1) ^ all(xi), tsucc(s, s + !)• 

Thus {xi, s) +M {.Xi, s + 1) by definition of +m- D 


Claim 16 

Let z G N. We have +f'nd|xi,si+i g induc'p{Di)^^*'‘^''^^. 

Proof 

Let / G We show / G induC'p{Di)^^'’^'~^^ . 

By definition of there is an active inductive ground rule tjj € G with 

head^ = /. Because ip G G, there is a rule ip G pure{V) and a valuation V so 
that Ip can be obtained from p by applying V and by subsequently removing all 
negative (ground) body literals, and so that V(neg,^) (IM = 0. The rule p must be 
of the form m, which implies that V must assign Xi and Si to the body location 
and timestamp variable respectively, and that it must assign Xi and Si + 1 to the 
head location and timestamp variable respectively. 

Let p' G P he the original inductive rule on which p is based. Let p" G induc-p 
be the rule corresponding to p'. It follows from the construction of p out of p' and 
p" out of p' that valuation V can also be applied to rule p". Indeed, rule p just 
has more variables for the location and timestamps. We show that V is satisfying 
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for ip” with respect to A, so that p” and V together derive V{head^i>) = G 
induc-p{Di), which gives / G induC'p{Di)'^^‘’‘‘'~^^, as desired. 

We must concretely show V{pos^„) C A and V{neg^„) n A = 0- We start by 
showing V (pos^//) C A- From the relationship between ip, p and p", we know that 

Pos^\sch(vA'^ = 

Since ip is active with respect to M, we have pos^ C M, and thus V{pos^„)'^^‘’‘‘' C 
M. Then by Claim [T71 we have F(pos^//) C Di, as desired. 

Now we show that V{neg^p,,) fl A = 0- By the relationship of p and p", we have 
V{neg^,,)^^*'’^* = V{neg,p). By choice of p and V, we have F(neg^) n M = 0. 
Hence, V n M = 0. Finally, by Claim [THl we have V{neg^„) fl A = 0, 
as desired. □ 


Claim 11 

Let z G N. Let / be a set of facts over sch{VY‘"^ that all have location specifier Xi 
and timestamp . If / CM then Q Di, with Di as defined in Section IB. II 

Proof 

We are given / CM. By the assumptions on I, we more specifically have / C 
M|®^'’®L Then by Claim[2i]we have I C Hence C A, as desired. □ 


Claim 18 

Let i G N. Let / be a set of facts over schipP)^"^ that all have location specifier Xi 
and timestamp Si. If /C M = 0 then /!*■ n A =0, with Di as defined in Section lB.il 

Proof 

We are given that I Cl M = $. This implies / fl M|®^‘’®‘ = 0. By Claim [55] we 
have / n = 0- Hence, by the assumptions on I, we have /'^ fl A = 0, as 

desired. □ 


Claim 19 

Let z G N. We have inducv{D,)^^''^'+'^ C 
Proof 

Let / G inducv{Di). We show that g 

Recall the semantics for induc-p from Section I5.1.2I Let p G inducp and V be 
the rule and valuation that together derived / G inducp{Di). Let G P be the 
original inductive rule on which p is based. Let p" G pureifP) be the inductive rule 
that in turn is based on p', which is of the form (|5]). Let V" be the valuation for 
p” that is obtained by extending V to assign Xi and Si to respectively the location 
and timestamp variables in the body, and to assign + 1 to the head timestamp 
variable. Let ip be the positive ground rule obtained from p" by applying the 
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valuation V" ^ and by subsequently removing the negative (ground) body literals. 
Note that head,p = V{head^)'^^'’‘^'~^^ = We will show that ip & G and 

that pos^ C M, so that this ground rule derives g M. And since ip is 

inductive, we more specifically have g j^ind^xi,si-i-i^ g^g desired. 

For Ip € G, we require V"{neg^„) fl M = 0. From the construction of rule <p" , we 
have V"{neg^„) = V{neg^)^^''^' . We show V{neg^)^^'’^^' fl M = 0. 

Because V is satisfying for ip with respect to A, we have V(neg^) fl Di = 0. This 
gives V(neg^)^^'’^' n = 0- Then V(neg^)^^'’^' n = 0 by Claim[22 

Next, we obtain V(neg^)'^^‘’^’ nM = 0 since V(neg^)'^^’’‘^‘ contains only facts over 
sch(P)^"^ with location specifier Xi and timestamp Si. 

Now we show pos^ C M . From the construction of rule ip", we have 

pos^ = V"{pos^„) = V(pos^)^^'’'"' U {tsucc(sj, s* + !)}• 

We immediately have tsucc(si,Si + 1) € decl{H) C M. Moreover, since V is 
satisfying for ip with respect to Di, we have F(pos^) C A- Hence V(pos,^)'^'^‘’^‘ C 
(A)^^‘’®b By Claimwe then have C C M, as desired. 

□ 


Claim 20 

Let« € N. Let x £ Af. For each R{x, d) G async^(Di), we have {i, R{d)) G bfi_i_^(x). 
Proof 

The main approach of this proof is as follows. We will show there is a timestamp 
M S N such that chosen/{(a;i, Si, x, u, a) G M . Next, because rules of the form (flUl) 
are positive, in G there is always the following ground rule: 

bef ore(a;i, Si, x, u) G- chosen/{(a;i, Si, x, u, a)- 

Thus if chosenfl(a;i, Si, a;, M, a) G M then before(a;i, Si, a;, m) G M, which implies 
(a;i, Si) -<M {x, u) by definition of -<m- Since <m respects ^m, we obtain (xi, Si) <m 
{ x, u) and thus globj^[xi, sf) < globj^[x, u). Also, since globj,^{xi, Si) = i, we overall 
get 

glob^ix,,, Sj) < i + 1 < globjif{x, u), 

which together with chosen/j(a;i, Si, a;, u, a) G M gives {glob]i^{xi, Si), R{d)) = 
(z, R{d)) G 6/i_|_i(a;), as desired. 

Now we are left to show that such a timestamp u exists. Recall the semantics 
for async-p from Section 15.1.21 Let ip G asynop and F be a rule and valuation 
that together have derived R{x,d) G asyncp{Di). Let ip' G V he the original 
asynchronous rule on which ip is based. Let ip" G pure{V) be the rule obtained by 
applying transformation m to p'. To continue, because -<m is well-founded, there 
are only a finite number of timestamps z; G N of node x such that {x, v) -<m {xi, Si). 
So, there exists a timestamp u G N such that {x,u) {xi,Si). Now, let V" be 
the valuation for p" that is the extension of valuation V to assign Xi and Si to the 
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body location variable and timestamp variable respectively (both belonging to the 
sender), and to assign u to the addressee arrival timestamp. Note that from the 
construction of ip” we also know that V (and thus V") assigns the value x to the 
addressee location variable and the tuple a to the message contents. Let i/' denote 
the ground rule obtained by applying V" to p" ^ and by subsequently removing 
the negative (ground) body literals. We will first show that ijj ^ G, and then we 
show that pos^ C M, meaning that ^ derives head^ = candfl(a:i, Si, x, u, d) € M. 
Then Claim [M] can be applied to know that there is a timestamp u', with possibly 
u' = u, such that chosenfl(a:i, Si, x, u', d) G M, as desired. 

In order for i/; to be in G, we require V"{neg^„) n M = 0. It follows from the 
construction of p" out of p' and p out of p' that 

V"{neg^„) = V U {bef ore(a;, u, Xi, s*)}- 

We have bef ore(a;, m, Xi, Si) ^ M because {x,u) t^m (xi,Si) by choice of u. Next, 
we show that V (neg^)^^‘’®' n M = 0. Because V is satisfying for p with respect to 
Di, we have V{neg^) fl A = 0, and thus 

L(ne(7^)^"-*- C (A)^"*’"^ = 0- 

Then, by Claim [22l 

L(neg^)^"-"' n = 0- 

Since V{neg^^)'^^'’^' contains only facts over sch{V)^'^ with location specifier Xi and 
timestamp Si, we have 

V{neg^)^^^’^' n M = 0- 

We now show C M. Note, pos^ = V"{pos^„). From the construction of p" 
we have 

V"{pos^„) = U {all(a;), time(M)}- 

Because x G N and m € N, we immediately have {all(a;), time(u)} C decl{H) C 
M. We are left to show F(pos^)'*''®’’^’ C M. Because V is satisfying for p with 
respect to Di, we have V{pos^) C A- Hence F(pos^)'^^'’^’ C (A)^'^’’^b By again 
using Claim[21]we then obtain V{pos^)'^^'’‘* C C M, as desired. □ 


Claim 21 

Let i G N and x G N. For each (z, R{d)) G bf^_^_i{x), we have R{x, d) G async^{Di). 
Proof 

By definition of bf^^i(x), the pair (z, R{d)) G bf^^i(x) implies that there are values 
y G N, t gN and m S N such that chosenfl)?/, t, x, u, d) G M, glob]^f{y, t) = i and 
glob^{y, t) < z + 1 < globf^{x, u). And globj^^{y, t) = i gives us that y = Xi and 
t = Si- Thus chosenfl(a;i, Si, x, u, d) G M. 

All ground rules in G that can derive chosen/{(xi, Si, a;, zz, a) G M are of the 
form (|3|), and hence cand/j(a;i, Si, x, zz, d) G M. Let z/; G G be an active ground rule 
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with head candfl(a:i, Si, x, u, d). Because ip G G, there is a rule (p G pure(V) and 
a valuation V so that ip is obtained from p by applying V and by subsequently 
removing all negative (ground) body literals, and so that V{neg^) fl M = 0. The 
rule (p is of the form which implies that V must assign Xi and Si respectively to 
the body location and timestamp variable that correspond to the sender, and that 
it must assign x and u respectively to the location and timestamp variable that 
correspond to the addressee. Let tp' GV he the original asynchronous rule on which 
p is based. Let p" be the corresponding rule in async-p. From the construction of 
p out of p' and p” out of p', it follows that V can also be applied to p". Note, 
V{headip») = R{x,d). We now show that V is satisfying for p" with respect to 
Di, which causes R{x, d) G asyncp{Di), as desired. Specifically, we have to show 
V(pos^if) C Di and V{neg^„) D Di =0. 

First we show V{pos^„) C Di. By construction of p and p", we have 

Pos.^\sch{r)^T = V{pos^)\sch{v)^i- = V{pos^„)'^^'’‘‘'- 

Since 'ijj is nctive, we linve C M, and therefore C M. 

Then, because the facts in V{pos^„)^^'’‘^' are over schipP)^'^ and have location 
specifier Xi and timestamp s^, we can apply Claim [T7] to know that V (jpos^n) C Di, 
as desired. 

Now we show V(neg^,i) G Di =0. By construction of p and p", we have 
V{neg^)\sch(vpi^ = V {neg,p„)^^''‘'* ■ 

By choice of p and V, we have V(neg^) flM = 0. Hence, V(neg^,,)'^^’’^’ n M = 0. 
Then, because the facts in V(neg,^„)'^^‘’^' are over sch(V)^'^ and have location 
specifier Xi and timestamp Si, we can apply Claim [T51 to know that V(neg,^„)nDi = 
0, as desired. □ 


Claim 22 

Let z € N. We have = {Di)^^'’^G Intuitively, this means that the operational 

deductive fixpoint Di during transition i, corresponding to step Si of node Xi, is 
represented by M in an exact way. 

Proof 

Recall the notations from Section lB.il Let n denote the largest stratum number of 
the deductive rules of V. We show by induction on fc = 0,1,..., n that 

This will give us Moreover, Claim [H] says 

that and thus we obtain as desired. 

Base case (k = 0) By definition, 

= M^U 
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But since there are no deductive ground rules in G with stratum 0, we have 
Mduc.o _ 0 ^ Hence, 

= U u (Bl) 

Using Claim[23]and Claimj^H we can rewrite expression m to the desired equality: 

= {sti[xi) U untag 

Induction hypothesis For the induction hypothesis, we assume for a stratum number 
fc > 1 that 

Inductive step We show that 

We show both inclusions separately, in Claims [23 and |2H1 D 


Claim 23 

Let i G N. We have U 

Proof 

By definition, 

sUix.) = U , 

where s = locMih^i). Using Claim [T51 we have s = Si. Therefore, 

□ 


Claim 24 

For each fact cand/j(a;, s, ?/, u, a) G M, there is a timestamp u' G N such that 
chosenfl( 2 ;, s, y, u', a) G M, with possibly u' = u. 
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Proof 

Towards a proof by contradiction, suppose there is no such timestamp u'. Now, 
because candfl(j;, s, y, u, d) € M, the following ground rule, which is of the form ([T]), 
can not be in G, because otherwise chosenfl( 2 :, s, y, u, d) G M, which is assumed 
not to be possible: 

chosenfl(a;, s, y, u, d) ^ cand/{(a;, s, y, u, d)- 

Because rules of the form (|1]) contain a negative other...-atom in their body, the 
absence of the above ground rule from G implies other/{{a;, s, y, u, d) € M. This 
otherfl-fact must be derived by a ground rule of the form ([S|) : 

otherfl(a;, s, y, u, d) •(— candfl(a;, s, y, u, d), chosenfl(a;, s, y, u', d), u 7 ^ m'- 

But this implies that chosenfl(a;, s, y, u', d) G M , which is a contradiction. □ 


Claim 25 

Let z G N. Let n denote the largest stratum number of the deductive rules of V. 
We have 

Proof 

First, since C M, we immediately have C 

Now, let / G We show / G Since / has location specifier Xi 

and timestamp Si, we are left to show / G We have the following cases: 

Suppose / G Tf |g(;f,(p)LT. Then / G C 

Suppose / G . Then there is an active ground rule if G G with head^ = /. 

As seen in Section mi rule Ip can be of three types: deductive, inductive and 
delivery. The last two cases would respectively imply / G and / G 

giving / G C M^". In the deductive case, rule ip has a stratum number no 
larger than n, and hence / G C 

□ 


Claim 26 

Let z G N. We have = untag{m,)'^^"^'. 

Proof 

Let / G We show / G untag{mi)'^^‘’^\ Denote / = R{xi,Si,d). By 

definition of M'^®*"', there is an active delivery rule ip G G that derives /: 

Si, d) G- choseiLniy, t, x^, Si, d)- 

Because this rule is active, we have chosen/{(?/, t, Xi, st, d) G M. Now, by definition 
of Xi and Si, we have globj^{xi, sf) = i. Hence, {globj^^{y, t), R{d)) G mi and thus 
R{d) G untag{mi). Finally, we obtain / = R{xi, Si, d) G untag{mi)^^'’^\ as desired. 
Let / G untag{mi)'^^'’^\ We show / G Mdeiiv|xi,si^ Denote / = R{xi,Si,d). We 
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have R{a) G untag{mi). Thus, there is some tag j G N such that {j,R{a)) G rm. 
By definition of rrii, there are values y £ Af, t G N, z £ Af and m G N such that 

chosenfl(?/, t, z, u, a) £ M, 

where globf^{y, t) = j and globj^^{z, u) = i. Here, globj^[z, u) = i implies z = Xi 
and u = Si- Hence, chosen/{( 2 /, t, Xi, Si, a) £ M . Now, the following ground rule tp 
is in G because (delivery) rules of the form ([6]) are always positive: 

R{x^, Si, a) 4- chosenfl(j/, t, x^, Si, a)- 

This rule derives / = R{xi, Si,a) £ M because its body-fact is in M. Hence, / G 
a.s desired. □ 


Claim 21 

Let « G N. Let fc be a stratum number (thus fc > 1). Suppose that 

We have 


Proof 

We consider the fixpoint computation of M, i.e., M = Mi with Mq = decl{H) 
and Ml = T{Mi-i) for each / > 1, where T is the immediate consequence operator 
of G. By the semantics of operator T, we have M;_i C Mi. 

We show by induction on / = 0, 1, 2, ..., that 

{Ml n C 

This will imply that 

U mA I^”*- C 

iGN / / 

Hence, we obtain, as desired 

Before we start with the induction, recall from Section IB. II that 
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Base case (1 = 0) We have Mq = decl{H). Thus Mq contains no facts derived by 
deductive, inductive or delivery ground rules. Therefore, 

Mo n = M|edh(P)LT- 

Hence, 

(Mo C (M^)|"^‘>"' 

And by using the given equality (M^*“^)|^'’®‘ = we obtain, as 

desired: 

(Mo C 

Induction hypothesis Let 1 > 1. We assume 

(M,_i n c 

Inductive step We show 

{Ml n C 

Let f G {Ml n If / G Mi_i then / G (Mj.i n and the 

induction hypothesis can be immediately applied. Now suppose that / G M; \ Mi_i. 
Then there is a ground rule tp G G with head^ = / that is active on Mi_i. We 
have pos,^ C Mi_i. As we have seen in Section fB.ll rule ip can be of three types: 
deductive, inductive or a delivery. If Tp is an inductive rule or a delivery rule then 

C (M^)l^-’*- C 

Now suppose Ip is deductive. If pj has stratum less than or equal to fc — I, then 
/ G (M^'=-i)|"^-'"*. In that case, the given equality (M^'=-i)|"^-'"* = 
gives / G (_Dr^''“^)Mi.si c as desired. Now suppose that tp has stratum 

k. Because ip G G, there is a rule ip G pure{'P) and valuation V so that ip is 
obtained from ip by applying valuation V and subsequently removing the negative 
(ground) body literals, and so that V{neg^) (1 M = iP. Let p' G "P be the original 
deductive rule on which ip is based. Thus ip' G deduc-p (see Section [^.1.21) . By 
construction of ip out of ip' , valuation V can also be applied to rule ip' . We now 
show that V is satisfying for ip' during the computation of Di, in stratum k. Since 
V{head^) = headTp = /, this results in the derivation of V{header) = G 
and thus / G ^s desired. It is sufhcient to show V{pos^,) C and 

V{neg^,) fl = 0 because by the syntactic stratification, if p' uses relations 

positively then those relations are in stratum k or lower, and if p' uses relations 
negatively then those relations are in a stratum strictly lower than k. 
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We show V(pos^,) C First, by the relationship between ip and p', and because 

valuation V assigns Xi and Si to respectively the body location variable and body 
timestamp variable of p, we have pos^ = V(pos^) = V(pos^,)'^^‘’^’. By choice of 
Ip, we already know pos^ C M;_i. If we could show pos^ C then pos^ C 

(M;_i n , to which the induction hypothesis can be applied to obtain 

pos^ = V{pos^,)'^^'’‘‘' C Si^ resulting in V(pos,^,) C D~^^, as desired. 

Now we show pos^ C . Let g G pos^. If 5 G then we immediately 
have g G Now suppose that g ^ M^. Since pos^ C we have g G 

\M^. Then Claiml^ implies there is an active deductive ground rule ip' & G 
with head^' = g. But we are working with a syntactic stratihcation, and thus 
the stratum of ip' can not be higher than the stratum of ip, which is k. Hence 
g G C 

We show V{neg,^,)r\D~^'‘~^ = 0. By choice of p and V, we have V{neg^)nM = 0. 

So, 

F(neff^)n(M-'=-i)r-^-= 0 - 

By applying the given equality we then have V{neg^p)r\ 

— 0 _ gy relationship between p and p', we have V{neg,^) = 
V{neg^,)'^''^'’‘‘\ Thus V{neg,^,) fl = 0, as desired. 

□ 


Claim 28 

Let J G N. Let fc be a stratum number (thus fc > 1). Suppose that 

(_^^fc-l)|2:i,Si _ ^£)->-fc-l^fl-2;i,Si_ 

We have 


Proof 

Recall that the semantics of stratum k in deduc-p is that of semi-positive Datalog”', 
with input . So, we can consider D~*^ to be a fixpoint, i.e., as the set Ujgn 

with Aq = and Ai = for each I > 1, where T is the immediate 

consequence operator of stratum k in deducp. We show by induction on I = 0, 1, 
2 , etc, that 

This then gives us the desired result. 

Base case (1 = 0) We have Aq = . By applying the given equality, we obtain 

Induction hypothesis Let Z > 1. We assume 
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Inductive step Let / S Ai. We show g If / G then the 

induction hypothesis can be applied to obtain the desired result. Now suppose 
f G Ai\ Ai-i- Let ip g deduc-p and V be respectively a rule with stratum k and a 
valuation that together have derived / g Ap Let ip' g pure{V) be the rule obtained 
from ip by applying transformation ©• Let V be the extension of V to assign Xi 
and Si respectively to the body location and timestamp variable of ip', which are 
also both used in the head of p'. Let V' be the ground rule obtained from p' by 
applying valuation V' and by subsequently removing all negative body literals. We 
show tjj € G and C M, which then implies 

head,!, = V'{head^>) = V{head^)'^'"''"* = g M- 

Moreover, because p (and thus p') has stratum k, rule -0 is an active deductive 
ground rule with stratum k, and thus g (^][fduc,k^^xi,si g as 

desired. 

• To show tj} € G, we require V'{neg,^,) C\M = %. Because V is satifying for p, and 
because negation is only applied to lower strata, we have 

V(neg^) n = &■ 

Thus 

V(neg^f^"^‘ n = 0. 

By the relationship between p and p', we have Vlneg,^)^'"’’"' = V'{neg^,), which 
gives us 

= 0 - 

And by using the given equality we have 

V(nev) n = 0. 

Now, for the last step, we work towards a contradiction: suppose that there is a fact 
g G V'{neg,^,) n M. From the construction of p', we know that g is over sch{'P)^'^ 
and has location speciher Xi and timestamp Si. 

— If 5 is over edb{V)^'^ then g g Thus g g C 

which is a contradiction. 

— If g is over idb{'P)^'^ then there is an active ground rule tp' G G with head^' = 

g. As seen in Section lB.il rule ip' is either deductive, inductive or a delivery. 
The last two cases would imply that g g (M“‘^ U 7 ipdeiiv^|xi,si g ^ 

which gives a contradiction like in the previous case. Now suppose that ip' 
is deductive. Because the predicate of g is used negatively in p' and thus 
negatively in p, the syntactic stratification assigns a smaller stratum number 
to Ip' than the stratum number of ip, which is k. Hence, g g 

which is again a contradiction. 

We conclude that V'{neg,^,) fl M = 0. 
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• We show pos^ C M. Because V is satisfying for ip, we have 
V{pos,p) C Ai_i- 

By the relationship between ip and p' (and ip), we have V= V'ppos^,) = 
pos,f,. Thus 

pos^ c 

By now applying the induction hypothesis, we obtain, as desired: 
pos^ C C M- 


□ 



